ARTICLE
6 November 2013

Regulatory Guidance For Cyber Risk Self-Assessment

BL
Borden Ladner Gervais LLP

Contributor

BLG is a leading, national, full-service Canadian law firm focusing on business law, commercial litigation, and intellectual property solutions for our clients. BLG is one of the country’s largest law firms with more than 750 lawyers, intellectual property agents and other professionals in five cities across Canada.
Canadian financial regulators have issued guidance for the self-assessment of cyber security practices
Canada Finance and Banking

Canadian financial regulators have issued guidance for the self-assessment of cyber security practices. The guidance emphasizes the need for senior management to comprehensively review cyber risk management policies and procedures, and provides a detailed self-assessment template. All organizations can benefit from the regulatory guidance.

On October 23, 2013, the Office of the Superintendent of Financial Institutions of Canada (known as "OSFI") issued a memorandum entitled "Cyber Security Self-Assessment Guidance"(online: http://www.osfi-bsif.gc.ca/app/DocRepository/1/eng/notices/osfi/cbrsk_e.pdf) to assist federally regulated financial institutions ("FRFIs") in the self-assessment of their preparedness for cyber attacks.

The memorandum explains that OSFI expects a FRFI's senior management to review their institution's cyber risk management policies and practices to ensure that they remain appropriate and  effective in light of changing circumstances and risks. The memorandum also indicates that a FRFI's board of directors, or committee of the board, should regularly review and discuss the institution's cyber risk management practices.

The memorandum includes a detailed self-assessment template that covers the following broad areas: (1) organization and resources; (2) cyber risk and control assessment; (3) situational awareness; (4) threat and vulnerability risk management; (5) cyber security incident management; and (6) cyber security governance. The template explains that the self-assessment should focus on the institution's current state of cyber security practices on an enterprise-wide basis, and should include the institution's material outsourcing arrangements (as defined by OSFI's Guideline B-10) and critical IT service providers (including related subcontracting arrangements).

The memorandum encourages FRFIs to use the self- assessment template to assess their current level of preparedness for cyber attacks and to develop and maintain effective cyber security practices. The memorandum also notes that OSFI might request FRFIs complete the template during future supervisory assessments.

Cyber attacks are an increasing risk for many kinds of organizations. OSFI's memorandum, while directed to financial institutions, is a useful reminder and a helpful tool for any organization that wishes to establish and maintain effective cyber security practices.

About BLG

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More