Stay informed about our most recent articles, training activites and job offers.

Therrien Couture Joli-Coeur Newsletter

Stay informed about our most recent articles, training activites and job offers.

By clicking "Sign me up", I confirm my registration to the subscription list and I consent to TCJ processing my email in order to send me newsletters on an ad hoc basis. I confirm that I have read and consented to the Privacy Policy.

Write us

By filling out this form, you enable our team to fully understand your needs and offer you the service best suited to your expectations. We thank you for your trust and promise to provide you with a follow up as soon as possible.

By clicking "Send", I confirm that I have read and consented to the Privacy Policy.

Privacy and cybersecurity

New Obligations for Financial Institutions Regarding Information Security Incidents

The Regulation respecting the management and reporting of information security incidents (“Regulation”) of the Autorité des marchés financiers (“AMF”) came into force on April 23, 2025. The Regulation establishes a special information security incident (“incident”) reporting regime for financial institutions.

Scope

Financial institutions, within the meaning of the Regulation, include the following:

  • insurers authorized under the Insurers Act and federations of mutual companies that are subject thereto;
  • federations and credit unions not members of a federation that are subject to the Act respecting financial services cooperatives;
  • deposit institutions authorized under the Deposit Institutions and Deposit Protection Act;
  • trust companies authorized under the Trust Companies and Savings Companies Act;
    • credit assessment agents designated under the Credit Assessment Agents Act[1].

Within the meaning of the Regulation, “information security incident” means “an attack on the availability, integrity or confidentiality of information systems or the information they contain.”[2] This definition is broader than the one found in the Act Respecting the Protection of Personal Information in the Private Sector (“Private Sector Act”). Indeed, the Private Sector Act requires the Commission d’accès à l’information to be notified only if the confidentiality incident presents a risk of serious injury to personal information.[3]

Incident Reporting

A financial institution must report to the AMF any incident with potential adverse impacts within 24 hours of its initial report to internal managers.[4] The term “adverse impacts” has not yet been defined or interpreted by the AMF.

The financial institution must then report to the AMF every three days on the status of the incident until it is resolved, at which point it must send a final report no later than 30 days after the incident is brought under control.[5]

Other Obligations

The Regulation imposes a number of other obligations to ensure that incidents are properly managed by financial institutions:

  • Assign, in writing, a person responsible for the management of incidents.[6]
  • Implement an incident management policy that includes procedures and mechanisms for detecting, assessing and responding to incidents. It must also contain a procedure for the reporting of incidents to the officers or managers of the financial institution, as well as third parties (clients, providers, consumers, the AMF and other regulatory bodies).[7]
  • Maintain a confidential and secure incident register.[8]
  • Coordinate the reporting of an incident with other competent authorities like the Office of the Superintendent of Financial Institutions, the Commission d’accès à l’information or a police force.[9]

Penalties

In case of non-compliance, the Regulation provides for monetary administrative penalties ranging from $250 to $2,500.[10]

In Compliance with Your Obligations?

Our Privacy and Cybersecurity team can help you:

  • establish, update and operationalize your incident management policy;
  • prepare your internal notification procedures;
  • set up an AMF-compliant register;
  • raise awareness and train your in-house teams;
  • coordinate and manage your incidents.

 

[1] Regulation respecting the management and reporting of information security incidents, AMF, s. 1 (hereinafter « AMF Regulation »).

[2] Id., s. 2.

[3] Act Respecting the Protection of Personal Information in the Private Sector, CQLR, c. P-39.1, s. 3.5.

[4] AMF Regulation, s. 5.

[5] Id., s. 8-9.

[6] Id., s. 4.

[7] Id., s. 3.

[8] Id., s. 10-11.

[9] Id., s. 3.

[10] Id., s. 2.

4