Harmonizing cyber reporting – A step toward more predictable regulation

Communiqué

When a cyber criminal attempts to attack an insurer or one of its third parties, the insurer must act quickly, not just to contain the threat but also to report the incident to regulators. But this task is more complex and time-consuming than one might expect – because reporting rules are significantly different from one province to the next.
Insurers are well aware of cyber risk. The industry has long maintained strong cyber security and privacy protocols, and has deep expertise in risk management. Some insurers also provide cyber insurance to commercial clients. Still, as the threat environment intensifies, even the most sophisticated of organizations can be targeted in a cyber attack.

A welcome report from CCIR

This is why a new position paper from the Canadian Council of Insurance Regulators (CCIR) is a welcome development. It acknowledges the regulatory burden created by inconsistent cyber reporting requirements from province to province, and outlines a path to greater harmonization and clarity.

The CCIR report, “Harmonization of Incident Reporting Frameworks,” confirms many of the challenges that insurers have raised in recent years, including a lack of shared terminology, inconsistent reporting timelines, and a lack of clarity about the threshold for what constitutes a reportable incident. The report also recognizes that during the early stages of an incident, asking insurers for a comprehensive report is premature because short reporting windows can divert resources from urgent response efforts.

The paper makes key recommendations on all these fronts, including clearer rules about when incidents need to be reported, more flexible deadlines, and consistent reporting standards across provinces and territories. It also encourages flexible reporting rules that reflect the fact that not all cyber incidents are equally serious, and that financial institutions vary in size and capacity.

These recommendations closely align with a long-standing call for a consistent national approach to incident reporting by Insurance Bureau of Canada (IBC) and the Canadian Life and Health Insurance Association’s (CLHIA). In past submissions, our industries have urged regulators to accept a single report – the one used by the Office of the Superintendent of Financial Institutions (Canada’s federal financial solvency regulator) – as sufficient across jurisdictions. A single report would help ensure that insurer resources remain focused on managing the incident, not on duplicating paperwork.

The need for harmonized regulation extends beyond cyber incident reporting. Whether it’s incident reporting or the ability of licensed adjusters, or licensed life insurance agents, to work across provincial lines, inconsistent rules remain a recurring challenge in the insurance industry. These “disconnects” can limit responsiveness and reduce system efficiency at times when both are urgently needed.

A blueprint for more harmonized regulation

The CCIR’s position paper shows what’s possible when regulators work together to reduce fragmentation. By proposing a more coordinated approach to cyber incident reporting, it offers a practical blueprint for how harmonization can improve clarity, reduce duplication, break down inter-provincial barriers, and strengthen the system as a whole.

Expanding this kind of approach to other areas of regulation would bring benefits across the board. For insurers, it would create greater predictability and free up resources to focus on innovation and service. For regulators, it would streamline oversight and improve coordination. All of this is to the ultimate benefit of consumers: more responsive service and products, improved innovation, and cost savings over time.

As Canada faces growing economic and competitive pressures, the need for regulatory harmonization is more urgent than ever. It’s essential to keeping Canada competitive on the global stage and attracting investment in our economy. The insurance industry encourages CCIR to continue its leadership in advancing this approach beyond cyber reporting. Our industry stands ready to support efforts to identify and implement further opportunities for harmonization.