Regulatory Alerts2021-08-13
Technology and Cyber Security Incident Reporting
The Office of the Superintendent of Financial Institutions (OSFI) and its French counterpart (BSIF) issued this 2025 standardized reporting form to require regulated financial institutions to systematically document and disclose technology and cybersecurity incidents. The template mandates precise data entry across incident timing, affected business lines, financial impact, recovery metrics, root causes, and threat actor indicators. It further standardizes multi-party notification protocols by capturing senior management alerts, regulatory submissions, law enforcement communications, and cyber insurance claims within a single unified report.
This document contains both information and form fields. To read information, use the Down Arrow from a form field. Protected B when completed i OSFI-BSIF TCSIR-SILTC 2025 Technology and Cyber Incident Report Incident information Institution name* Incident name or identifier Incident report type* * Incident status (Refer to instructions) Date, time and time zone the incident occurred (YYYY-MM-DD, HH:MM, TZ) Select date Time Time zone Date, time and time zone the incident was detected (YYYY-MM-DD, HH:MM, TZ) Select date Time Time zone Site location and lines of business affected Where did the incident occur?* (Refer to instructions) Third-party, subcontractor, or other details *Mandatory field Business line and service identification (Refer to instructions) Geographic site or locale affected (Refer to instructions) Technology assets affected (Refer to instructions)
Protected B when completed ii OSFI-BSIF TCSIR-SILTC 2025 Incident details Incident category* Incident severity or priority* Incident result (Refer to instructions) Incident type (Refer to instructions) Incident description (Refer to instructions) * Breach of recovery point objective (RPO) or recovery time objective (RTO) Activation of business continuity plans (BCPs) or disaster recovery plans (DRPs) Impact scope (Refer to instructions) Service delivery (Loss of) Sensitive information Media or public sentiment Estimated overall financial impact (in CAD) Estimated number of impacted users, clients, or transactions Estimated recovery timeframe Incident duration (Refer to instructions)
Protected B when completed iii Incident recurrence if yes, enter previous incident name or identifier(s) Incident root cause (Refer to instructions) Cyber threat actor details Threat-actor tactics, techniques, and procedures (TTP) (Refer to instructions) Indicators of compromise (IoC) – Hash, URL, email, IP, etc. (Refer to instructions) Internal and external notifications Senior management notification If yes, select the date, time and time zone (YYYY-MM-DD, HH:MM, TZ) Select date Time Time zone Other regulatory or supervisory notification Law enforcement or security agency notification Cyber insurance notification or claim submission OSFI-BSIF TCSIR-SILTC 2025