New security incident reporting obligations for certain financial institutions in Québec

On October 23, 2024, Québec’s Autorité des marchés financiers (AMF) published the Regulation respecting the management and reporting of information security incidents by certain financial institutions and by credit assessment agents (the Regulation). The Regulation, which comes into force on April 23, 2025, will impose obligations on certain financial institutions to manage, report and maintain records of information security incidents.

What you need to know

• Scope: The Regulation applies to certain financial institutions regulated by existing Québec legislation.
• New obligations:
  • Institutions must put in place an information security incident management policy and designate an individual responsible for its oversight.
  • Institutions must report incidents to the AMF and continue reporting progress until incidents resolve.
  • Institutions must maintain a record of incidents for five years after the incident is resolved.
• Administrative monetary penalties: Institutions that breach provisions of the Regulation may be liable to pay penalties of up to $2,500, depending on the nature of the breach.

The Regulation

The Regulation was published after a draft regulation was circulated for public consultation in December 2023. Its provisions will come into force on April 23, 2025.

To whom does the Regulation apply?

The Regulation, and the new obligations it imposes, will apply to the following financial institutions already regulated by existing legislation in Québec:

• insurers and federations of mutual companies holding a license under the Insurers Act;
• financial institutions covered by the Act respecting financial services cooperatives;
• deposit institutions authorized under the Deposit Institutions and Deposit Protection Act;
• trust companies authorized under the Trust Companies and Savings Companies Act; and
• credit assessment agents under the Credit Assessment Agents Act.

New obligations under the Regulation

The Regulation defines “information security incident” as a breach to the availability, integrity or confidentiality of information systems or the information which those systems contain. The Regulation imposes three main obligations:

• Information security incident management policy
  • Institutions must put in place a policy that includes procedures to detect, assess and respond to incidents that may occur.
  • The policy must include a procedure to report incidents to clients, consumers and third parties.
  • The institution must designate an individual to oversee the management and reporting of incidents.
• Reporting to the AMF
  • Institutions must report (i) incidents with potentially adverse impacts and (ii) incidents that must be reported to other law enforcement or regulatory bodies within 24 hours of being informed of the incident.
  • The AMF will create a reporting form and guide on its website.
  • Institutions must provide updates to the AMF every three days after the original notice is given.
  • Institutions must provide a closing report to the AMF 30 days after the incident is resolved, identifying the source and type of incident, an assessment of the potential recurrence of the incident, and any measures taken to reduce the likelihood of recurrence.
• Keeping records
  • Institutions must keep fulsome records of incidents in a register, which must be maintained for at least five years from the date the institution submits a closing report to the AMF.

Administrative monetary penalties

Institutions that fail to comply with new obligations may be liable to pay administrative monetary penalties. The penalty amount differs based on the nature of the breach and whether the breach was caused by an individual or an institution.

Serious breaches include failure to establish an incident management policy, failure to keep an updated register of incidents and failure to keep records for the five-year retention period. Institutions that commit serious breaches may be liable to pay a penalty of up to $2500.

Preparing for the Regulation

While institutions that fall under the ambit of the Regulation have time before its provisions come into force in April 2025, care should be taken to ensure that existing policies and reporting mechanisms comply with the new obligations. Even where reporting regimes are already in place, such as to the Commission d'accès à l'information under Québec privacy law, institutions must ensure reporting to the AMF.

Institutions should be aware of the varying reporting standards under different regulatory regimes. As drafted, the Regulation poses a heavy burden on institutions to report any incident with potentially adverse impacts within 24 hours of being informed of the incident. Institutions should be prudent in reporting all incidents and engage counsel where unsure.