On October 28, OSFI released its Cyber Security Self-Assessment Guidance (the
"Guidance") to aid Federally Regulated
Financial Institutions ("FRFI") in
assessing its level of preparedness against cyber risks. The
Guidance was drafted in response to OSFI's Plans and Priorities for 2013-2016, a plan
that emphasizes vigilance against the increasing frequency and
sophistication of cyber threats.
Cyber Security Self-Assessment Template
The Guidance directs FRFIs to conduct self-assessments against a
number of criteria in the following six categories:
Organizational Resources. e.g. Whether the
FRFI has assigned specific roles and responsibility for the
management of cyber security.
Cyber Risk and Control Assessment. e.g.
Whether the FRFI assesses and takes steps to mitigate potential
cyber risk arising from its outsourcing arrangements deemed
material under OSFI's Guidelines B-10.
Situational Awareness. e.g. Whether the FRFI
maintains current enterprise-wide knowledge base of its users,
devices, applications, and their relationships.
Threat and Vulnerability Risk
Assessment. e.g. Whether the FRFI has implemented
tools to prevent unauthorized data leaving the enterprise.
Cyber Security Incident Management. e.g.
Whether the FRFI's change management process has been designed
to allow for rapid response and mitigation to material cyber
Cyber Security Governance. e.g. Whether a
Senior Management committee has been established that is dedicated
to the issue of cyber risk.
Interestingly, unlike the recently released U.S. NIST
Preliminary Cybersecurity Framework, the Guidance is broad and
does not reference external standards (e.g. ISO Standards). As a
consequence, there is a large degree of subjectivity involved in
the self-assessment. While OSFI has stated that they do not have
current plans to establish a more specific guidance, OSFI also
confirmed that they may request FRFIs to complete this template
during future supervisory assessments.
Prepared with Assistance from Sam
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Software license agreements generally require the customer to pay fees for the software license and related services, which fees are usually based upon the duration of the license and the manner in which the customer is allowed to use the software, together with applicable taxes and withholdings.
In less than nine months, on July 1, 2017, persons affected by a contravention of Canada's anti-spam legislation will be able to invoke a private right of action to sue for compensation and potentially substantial statutory damages.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).