The Québec AMF’s new information security incident reporting regime: what financial institutions need to know

On October 23, 2024, Québec’s Autorité des marchés financiers (AMF) published the Regulation respecting the management and reporting of information security incidents by certain financial institutions and by credit assessment agents [PDF] (AMF Regulation). Effective April 23, 2025, information security incident management and disclosure obligations for certain financial institutions and credit assessment agents will come into force. We note that many of these requirements align with expectations outlined in the AMF’s Guideline on Information and Communications Technology Risk Management.

I have co-authored an article which outlines the key obligations of the AMF Regulation and compares them with two existing reporting frameworks: the Office of the Superintendent of Financial Institutions’s (OSFI) Technology and Cyber Security Incident Reporting Advisory (OSFI Advisory) and the Regulation respecting confidentiality incidents (Private Sector Regulation) under Québec’s Act respecting the protection of personal information in the private sector (ARPPIPS).

Read our article on these key new requirements available on Osler’s website.

This content has been updated on January 14, 2025 at 17 h 19 min.