ARTICLE
23 April 2025

New Information Security Incident Framework For Quebec Financial Institutions

BC
Blake, Cassels & Graydon LLP

Contributor

Blake, Cassels & Graydon LLP logo
Blake, Cassels & Graydon LLP (Blakes) is one of Canada's top business law firms, serving a diverse national and international client base. Our integrated office network provides clients with access to the Firm's full spectrum of capabilities in virtually every area of business law.
Explore Firm Details
Lexpert Firm Profile
On April 23, 2025, Quebec's Regulation respecting the management and reporting of information security incidents by certain financial institutions and by credit assessment agents (Regulation) will come into force.
Canada Quebec Finance and Banking
Sunny Handa,Louis Morisset,Linda Muhugusa
+2 Authors
 Your Author LinkedIn Connections

On April 23, 2025, Quebec's Regulation respecting the management and reporting of information security incidents by certain financial institutions and by credit assessment agents(Regulation) will come into force. Issued by the Autorité des marchés financiers (AMF) and approved by the Minister of Finance, this Regulation establishes a new framework for Financial Institutions (hereinafter defined) to manage and report "information security incidents."

Application

The AMF regulates Quebec's financial sector and assists consumers of financial products and services. Its regulatory activities include:

  • Insurance
  • Deposit institutions (excluding banks, which are federally regulated under the federal Bank Act)
  • Securities and derivatives
  • Distribution of financial products and services
  • Mortgage brokerage
  • Credit assessment

Entities wishing to engage in these financial activities in Quebec must obtain authorization from the AMF and be listed in a publicly available online register.

With this in mind, the new Regulation applies to designated credit assessment agents under the Credit Assessment Agents Act and the following financial institutions:

These entities are collectively referred to as "Financial Institutions."

Information Security Incident

The Regulation defines an "information security incident" as "an attack on the availability, integrity or confidentiality of information systems or the information they contain."

Notably, such definition of information security incidents is broader than the definition of "confidentiality incidents" under the Act respecting the protection of personal information in the private sector(Quebec Privacy Act), which refers to instances of unauthorized access, use, communication or loss of personal information, as well as any other breach of the protection of this information. It encompasses not only breaches of personal information but also other incidents affecting information systems. Presumably, it includes unlawful access to confidential or business information, data encryption or malware. Given the breadth of the definition, a case-by-case analysis will be necessary to determine whether notification must be provided to the AMF.

New Obligations

1. Developing an Information Security Incident Management Policy

The Regulation mandates that Financial Institutions develop and implement an information security incident management policy (Policy). The Policy must include procedures and mechanisms to detect, assess and respond to information security incidents within the Financial Institution or any third party entrusted with parts of its activities. The Policy must also include procedures for reporting these incidents to the Financial Institution's officers or managers, as well as to other stakeholders, such as clients, third parties, consumers, the AMF and other regulatory bodies.

Furthermore, the Financial Institution must assign in writing the responsibility for monitoring the management and reporting of information security incidents to one of its officers or, in the case of financial services cooperatives, one of its managers.

2. Reporting Information Security Incidents

The Regulation stipulates that notification must be provided to the AMF for the following information security incidents using the form on its website (not yet available):

a. Incidents with Potentially Adverse Impacts

  • An information security incident that may have "potentially adverse impacts" must be reported. We note that the Regulation does not define "potentially adverse impact" and provides no indication about the criteria that should be considered to make such a determination.
  • Notification Deadline: Within 24 hours of the officer or manager receiving a report.

b. Incidents Reported to Specific Organizations or Individuals

  • Any information security incident reported to or subject to a notice to:
    • a regulatory body;
    • an entity responsible for crime prevention, detection or repression; or
    • an entity contractually responsible for compensating injury caused by the incident.
  • Notification Deadline: Within 24 hours of the officer or manager receiving a report.

c. Confidentiality Incidents

  • Any confidentiality incident involving personal information that poses a risk of serious injury, such that it must be notified under the Quebec Privacy Act.
  • Notification Deadline: At the same time as notifying the Commission d'accès à l'information (CAI).

Following its initial notification to the AMF, the Financial Institution must provide the AMF with updates on the information security incident at least every three days, and it must continue to do so until it notifies the AMF that the incident is "under control" and operations have returned to normal. The Regulation does not characterize "under control."

In addition to the notifications, a post-incident report must be submitted to the AMF within 30 days of the notice indicating that the incident is under control and that operations have returned to normal. This report must identify the source of the incident, determine its type, assess the potential for recurrence and describe the actions taken to reduce the likelihood of incidents of similar nature occurring in the future.

3. Maintaining an Information Security Incident Register

A Financial Institution must maintain a current information security incident register and ensure that all recorded information for each incident is kept in a secure and confidential manner to preserve the information's integrity for at least five years from the date of the corresponding post-incident report. For each information security incident, the Financial Institution must record the date, time, location and nature of the incident, provide a detailed description, indicate any injury caused, identify any third parties involved, outline the actions taken, and indicate whether the residual risk is accepted or not, along with the rationale for this decision. Additionally, the register should list planned actions and record the incident close date. Financial Institutions should consider updating their record-keeping practices to reflect these new requirements.

Penalties

Monetary administrative penalties for various contraventions of the Regulation range from C$250 to C$500 for individuals and from C$1,000 to C$2,500 for Financial Institutions. Contraventions include, for instance, failures to develop an information security incident management policy, appoint an incident management officer, report incidents to the AMF within 24 hours or keep an information security incident register.

Best Practices

The Regulation imposes strict requirements for developing information security incident management policies, adhering to reporting obligations and maintaining records. To comply with the new obligations that aim to supplement existing laws on personal information protection, Financial Institutions should ensure they have robust policies, procedures and practices in place to handle information security incidents and meet these new regulatory requirements.

Financial Institutions should also remain aware of the various other reporting requirements that may apply to them. For example, some Financial Institutions, such as insurance companies and federally incorporated trust and loan companies, are also federally regulated financial institutions (FRFIs) and are subject to supervision by the Office of the Superintendent of Financial Institutions (OSFI). According to the OSFI instructions, FRFIs must report technology and cybersecurity incidents to OSFI within 24 hours. A list of federally regulated financial institutions is available on the OSFI website.

Other provinces may also have different requirements. In 2021, the British Columbia Financial Services Authority (BCFSA) developed an Information Security Guideline. Although it does not mandate a reporting scheme, financial institutions in British Columbia are expected to promptly notify BCFSA of any material information security incidents and submit an incident report within 72 hours.

Given the diverse and evolving regulatory landscape, Financial Institutions must stay informed and vigilant about their reporting obligations across various frameworks and be prepared to comply.

For permission to reprint articles, please contact the bulletin@blakes.com Marketing Department.

© 2025 Blake, Cassels & Graydon LLP.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Sunny Handa
Sunny Handa
Photo of Louis Morisset
Louis Morisset
Photo of Eline Collard
Eline Collard
Photo of Linda Muhugusa
Linda Muhugusa
Photo of Chloe Barrette
Chloe Barrette
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More