Information Security Incident Management

Information security is a critical issue. In the face of increasingly sophisticated threats, information security incident management is becoming a top priority.

The management of information security incidents is governed by legal obligations requiring financial institutions to adhere to sound and prudent management practices.

The Regulation respecting the management and reporting of information security incidents by certain financial institutions and by credit assessment agents (pdf - 279 KB)This link will open in a new windowUpdated on October 24, 2024Final version of Regulation respecting the management and reporting of information security incidents by certain financial institutions and by credit assessment agents.In force: April 23, 2025. sets out the incident reporting criteria developed in response to those obligations.

An Application and Implementation Guide (pdf - 370 KB)This link will open in a new windowUpdated on May 7, 2025Application and implementation guide has been prepared to support organizations subject to the Regulation. It provides clarifications regarding:

  • the incident management policy
  • procedures and mechanisms
  • the incident register
  • incident reporting

The guide is designed to continually evolve to reflect incident reporting best practices, experience gained and stakeholder needs.

Definition of an information security incident

The Regulation defines an information security incident as an attack on the availability, integrity or confidentiality of information systems or the information they contain.

Insight

How to report an incident

Incidents must be reported via E-Services no later than 24 hours from the time an officer or, where applicable, a manager is informed of the situation. The report must be updated every three days thereafter.

End of the insight