Les Publications du Québec
Ministère de l'Emploi et de la Solidarité sociale
Accueil FAQ Nous joindre
Lois et règlements codifiés Lois codifiées Règlements codifiés Lois et règlements annuels Lois annuelles Règlements annuels Information complémentaire L’Éditeur officiel du Québec Quoi de neuf? Note d’information Politique du ministre de la Justice Lois : Modifications Lois : Dispositions non en vigueur Lois : Entrées en vigueur Lois annuelles : Versions PDF depuis 1996 Règlements : Modifications Règlements annuels : Versions PDF depuis 1996 Décisions des tribunaux

A-8.2, r. 0.1 - Regulation respecting the management and reporting of information security incidents by certain financial institutions and by credit assessment agents

Français
Table des matières
Occurrences0
Texte complet
À jour au 1er septembre 2025
Ce document a valeur officielle.
chapter A-8.2, r. 0.1
Regulation respecting the management and reporting of information security incidents by certain financial institutions and by credit assessment agents
Credit Assessment Agents Act
(chapter A-8.2, ss. 66 and 73).
Insurers Act
(chapter A-32.1, ss. 485 and 496).
Act respecting financial services cooperatives
(chapter C-67.3, ss. 601.1 and 601.9).
Deposit Institutions and Deposit Protection Act
(chapter I-13.2.2, s. 43, par. u and s. 45.9).
Trust Companies and Savings Companies Act
(chapter S-29.02, ss. 277 and 286).
CHAPTER I
SCOPE AND INTERPRETATION
A.M. 2024-13, c. I.
1. This Regulation applies to the following financial institutions:
1°  insurers authorized under the Insurers Act (chapter A-32.1) and federations of mutual companies that are subject thereto;
2°  federations and credit unions not members of a federation that are subject to the Act respecting financial services cooperatives (chapter C-67.3);
3°  deposit institutions authorized under the Deposit Institutions and Deposit Protection Act (chapter I-13.2.2); and
4°  trust companies authorized under the Trust Companies and Savings Companies Act (chapter S-29.02).
This Regulation also applies to credit assessment agents designated under the Credit Assessment Agents Act (chapter A-8.2).
A.M. 2024-13, s. 1.
2. For purposes of this Regulation, information security incident means an attack on the availability, integrity or confidentiality of information systems or the information they contain.
A.M. 2024-13, s. 2.
CHAPTER II
MANAGEMENT OF INFORMATION SECURITY INCIDENTS
A.M. 2024-13, c. II.
DIVISION I
INFORMATION SECURITY INCIDENT MANAGEMENT POLICY
A.M. 2024-13, Div. I.
3. A financial institution or a credit assessment agent must develop and implement an information security incident management policy that includes, without limitation, procedures and mechanisms for detecting, assessing and responding to information security incidents that may occur within the institution, a credit union that is a member of a federation, the credit assessment agent, or a third party to which such institution, credit union that is a member of a federation, or credit assessment agent has entrusted the performance of any part of an activity, if the incident affects the activity entrusted to such third party.
The information security incident management policy shall also contain a procedure for the reporting of information security incidents to the officers or, where applicable, the managers of the financial institution or the credit assessment agent, including a procedure for the reporting of such incidents thereto when they occur within a credit union that is a member of a federation or a third party referred to in the first paragraph.
Furthermore, the policy must include a procedure for the reporting of incidents to any other stakeholders, including clients, third parties to which the institution or agent has entrusted the performance of any part of an activity, consumers, the Autorité des marchés financiers, and any other regulatory bodies.
A.M. 2024-13, s. 3.
4. A financial institution or a credit assessment agent must assign, in writing, responsibility for monitoring the management and reporting of information security incidents to one of its officers or, in the case of a financial services cooperative, one of its managers.
A.M. 2024-13, s. 4.
DIVISION II
REPORTING TO THE AUTORITÉ DES MARCHÉS FINANCIERS
A.M. 2024-13, Div. II.
5. Where an information security incident with potentially adverse impacts is reported to the officers or, where applicable, the managers of a financial institution or a credit assessment agent, the financial institution or the credit assessment agent must, not later than 24 hours from the time the incident is so reported, notify the Authority of the incident.
The financial institution or the credit assessment agent must, within that same period, also notify the Authority of any information security incident that has been reported or been the subject of a notice to a regulatory body, a person or a body responsible under law for the prevention, detection or repression of crime or statutory offences or contractually responsible for providing compensation for injury that may have been caused by the incident.
A.M. 2024-13, s. 5.
6. Where a financial institution or a credit assessment agent notifies the Commission d’accès à l’information, established under section 103 of the Act respecting Access to documents held by public bodies and the Protection of personal information (chapter A-2.1), of a confidentiality incident referred to in paragraph 2 of section 3.5 of the Act respecting the protection of personal information in the private sector (chapter P-39.1), it must notify the Authority of the incident at the same time.
A.M. 2024-13, s. 6.
7. A financial institution or a credit assessment agent shall notify the Authority of an information security incident by completing the form available on the Authority’s website.
A.M. 2024-13, s. 7.
8. A financial institution or a credit assessment agent must notify the Authority of developments in the situation not later than 3 days after notice is given to the Authority pursuant to section 5 and not later than every 3 days thereafter, until a notice is sent to the Authority confirming that the incident is under control and that operations have returned to normal.
A.M. 2024-13, s. 8.
9. A financial institution or a credit assessment agent shall send a report to the Authority within 30 days following the date the notice is sent to the Authority confirming that the incident is under control and that operations have returned to normal. The report shall, in particular:
1°  identify the source of the incident and the type of incident;
2°  provide the financial institution’s or credit assessment agent’s assessment regarding a potential recurrence of the incident; and
3°  describe the actions taken to reduce the likelihood of incidents of a similar nature occurring in the future.
A.M. 2024-13, s. 9.
DIVISION III
INFORMATION SECURITY INCIDENT REGISTER
A.M. 2024-13, Div. III.
10. A financial institution or a credit assessment agent must maintain a current information security incident register that shall include, for each incident:
1°  the date and time of the incident;
2°  the location of the incident;
3°  the nature of the incident;
4°  a detailed description of the incident, including the information specified in paragraph 2 of section 9;
5°  any injury caused by the incident;
6°  any third parties involved in the incident;
7°  actions taken;
8°  whether the residual risk is accepted or not accepted and the rationale for accepting or not accepting it;
9°  planned actions; and
10°  the incident close date.
A.M. 2024-13, s. 10.
11. A financial institution or a credit assessment agent must keep the information recorded in the register in a secure and confidential manner so as to maintain the information’s integrity for a minimum period of 5 years from the date of the report referred to in section 9.
A.M. 2024-13, s. 11.
CHAPTER III
MONETARY ADMINISTRATIVE PENALTIES
A.M. 2024-13, c. III.
12. A monetary administrative penalty of $250 in the case of a natural person and $1,000 in any other case may be imposed on a financial institution or a credit assessment agent contemplated in section 1 that:
1°  in contravention of section 4, fails to assign, in writing, responsibility for monitoring the management and reporting of information security incidents to one of its officers or, where applicable, one of its managers;
2°  in contravention of section 5, fails to notify the Authority of an incident not later than 24 hours after the time the incident is reported to its officers or, where applicable, its managers;
3°  in contravention of section 6, when notifying the Commission d’accès à l’information of an incident, fails to notify the Authority of the incident at the same time; or
4°  in contravention of section 8, fails to notify the Authority of developments in the situation not later than 3 days following the notice referred to in section 7 and not later than every 3 days thereafter, until a notice is sent to the Authority confirming that the incident is under control and operations have returned to normal.
A.M. 2024-13, s. 12.
13. A monetary administrative penalty of $500 in the case of a natural person and $2,500 in any other case may be imposed on a financial institution or a credit assessment agent referred to in section 1 that:
1°  in contravention of section 3, fails to develop or implement an information security incident management policy;
2°  in contravention of section 10, fails to maintain a current information security incident register; or
3°  in contravention of section 11, fails to keep the information in the information security incident register for a minimum period of 5 years from the date of the report contemplated in section 9.
A.M. 2024-13, s. 13.
CHAPTER IV
FINAL PROVISION
A.M. 2024-13, c. IV.
14. (Omitted).
A.M. 2024-13, s. 14.
REFERENCES
M.O. 2024-13, 2024 G.O. 2, 3897
© Gouvernement du Québec