Regulatory Alerts2023-12-07
Regulation Respecting the Management and Reporting of Information Security Incidents by Financial Institutions and Credit Assessment Agents
The Autorité des marchés financiers has issued this regulation to mandate that designated financial institutions and credit assessment agents establish robust information security incident management policies and assign clear monitoring responsibilities to their officers or managers. The framework imposes strict reporting timelines, requiring an initial notification within 24 hours of a potentially adverse incident, subsequent updates every three days until closure, and a comprehensive final report within 30 days. Additionally, entities must maintain a secure incident register for at least seven years and face monetary administrative penalties ranging from $250 to $2,500 for non-compliance with these management and reporting obligations.
Share