Order 2024-13, issued by the Minister of Finance on October 7, 2024, establishes a regulation focused on managing and reporting information security incidents by certain financial institutions and credit assessment agents in Quebec. This order, authorized under several legislative acts—including the Credit Assessment Agents Act, Insurers Act, Act respecting financial services cooperatives, Deposit Institutions and Deposit Protection Act, and the Trust Companies and Savings Companies Act—was created to ensure that these entities uphold stringent cybersecurity measures to protect sensitive data and respond appropriately to potential security threats.

The regulation mandates that all covered entities, including insurers, mutual company federations, financial services cooperatives, deposit institutions, and credit assessment agents, develop and enforce a comprehensive information security incident management policy. This policy must include mechanisms for detecting, evaluating, and addressing information security breaches, both within the institution and in any outsourced activities that may be impacted. Additionally, the policy requires procedures for escalating incidents to relevant parties, such as managers or officers within the institution, as well as to the Autorité des Marchés Financiers (AMF), affected clients, and other stakeholders as needed.

When an incident occurs that might impact information systems’ availability, integrity, or confidentiality, financial institutions and credit assessment agents must report it to the AMF within 24 hours of the event. They are also required to notify any other regulatory bodies, crime prevention agencies, or contractual parties accountable for mitigating damages. For incidents involving confidentiality breaches that require notification under Quebec’s privacy regulations, the AMF must also be informed simultaneously.

The reporting process to the AMF includes a detailed form submission via the AMF website, followed by regular updates on the incident status every three days until resolution. Once the incident is controlled, the entity must submit a final report within 30 days, covering the incident’s origin, recurrence risk, and future preventive measures.

In cases of non-compliance, financial institutions and credit assessment agents face monetary administrative penalties. Fines range from $250 for individuals to $1,000 for organizations if they fail to assign incident monitoring responsibilities, report incidents promptly, notify the AMF simultaneously with other agencies, or provide timely updates to the AMF. More substantial penalties of $500 to $2,500 may be levied for more severe breaches, such as failure to develop an incident management policy or maintain the incident register as required.

This regulation is aimed at enhancing cybersecurity resilience among financial institutions and credit assessment agents by imposing rigorous standards for incident management and by holding these entities accountable for lapses in their cybersecurity practices.

Quebec (MO 2024-13) October 23, 2024