Obligation to Report Information Security Incidents: The Autorité des Marchés Financiers Catches the Wave and Publishes a New Regulation

On October 24, the Autorité des marchés financiers (“AMF”) published the Regulation respecting the management and reporting of information security incidents by certain financial institutions and by credit assessment agents (the “Regulation”), with provisions coming into force on April 23, 2025. 

This Regulation introduces a special notification regime in the event of an “information security incident”. This bulletin explains to whom this Regulation applies, the obligations it entails, and its scope, particularly in light of the existing obligations under the Act Respecting the Protection of Personal Information in the Private Sector (“Private Sector Act”) regarding notification in the event of a “confidentiality incident”. 

Organizations Covered by the Regulation 

The Regulation applies to the following organizations, which are already subject to the Private Sector Act: 

• Insurers authorized under the Insurers Act and federations of mutual companies covered by this Act 
• Federations and credit unions that are not members of a federation and are covered by the Act Respecting Financial Services Cooperatives 
• Deposit institutions authorized under the Deposit Institutions and Deposit Protection Act 
• Trust companies authorized under the Trust Companies and Savings Companies Act
• Credit assessment agents designated under the Credit Assessment Agents Act

Information Security Incident Obligations 

As for the scope of the Regulation, it is important to understand the types of information it covers. An “information security incident” is defined in the Regulation as “an attack on the availability, integrity or confidentiality of information systems or the information they contain.” This definition is broad. Thus, a technical failure of information systems preventing access to these systems could constitute an “information security incident” subject to the Regulation. 

The definition of “information” in this Regulation has a broader scope than that of the Private Sector Act. In other words, an “information security incident” under the Regulation could encompass documents containing information such as a company’s financial information, product and service information, or reports and statistics, for instance; whereas a “confidentiality incident” under the Private Sector Act only involves documents containing personal information.  

Essentially, the obligations imposed on financial institutions and credit assessment agents under the Regulation are as follows: 

• Establish and implement an information security incident management policy, including mechanisms to detect, assess, and respond to information security incidents.  
• Appoint an officer or manager responsible for monitoring and supervising the management and reporting of information security incidents. 
• Notify the AMF, via an online form, of information security incidents that are likely to have adverse impacts and those that have been the subject of a notice to a regulatory authority, such as the Commission d’accès à l’information, no later than 24 hours after the time an officer or manager is informed of the incident. In addition to the notice, necessary follow-ups must be made to the AMF every three days, and a final report must be submitted to the AMF no later than 30 days after the incident is contained.  
• Maintain an information security incident register and retain entries for at least five years. 

Planned Penalties

The Regulation provides for monetary administrative penalties for any failure to comply with its obligations contained therein. 

 

Takeaways 

• The Regulation adds a framework that supplements existing laws governing the protection of personal information. In other words, even if your organization already complies with the obligations under the Private Sector Act, it must still take action today to comply with the specific requirements of the Regulation. 
• An information security incident as defined in the Regulation could also involve personal information. Thus, faced with the same incident, an organization may need to fulfill the obligations under both the Regulation and the Private Sector Act. 
• Covered organizations must implement an information security incident management policy, including procedures and mechanisms to detect, assess, and address incidents. 
• Organizations subject to the Regulation must also keep an information security incident register, which must include the date and time of the incident, its location, its nature, a detailed description, any injury caused, any third parties involved, actions taken by the organization, reasons for accepting or rejecting the risk, planned actions, and the incident close date. 
• It should be noted that for an information security incident as defined in the Regulation, the notices to be sent to the AMF are more numerous than those to be sent to the Commission d’accès à l’information under the Private Sector Act in the event of a confidentiality incident. Indeed, in addition to the information security incident notice, the Regulation also provides for updates to be sent to the AMF, followed by the submission of a final report. 
• Covered organizations must ensure that their contracts with service providers, particularly those who host their information systems on their behalf, contain a contractual clause requiring the service provider to notify the organization of any “information security incidents” affecting its information. In other words, the notification obligation imposed on service providers must cover both confidentiality incidents within the meaning of the Private Sector Act, and “information security incidents” within the meaning of the Regulation. 

For any questions or advice on implementing these practices, do not hesitate to contact BCF’s Data Protection, Privacy and Cybersecurity team.