On October 28, 2013 the Office of the Superintendent of
Financial Institutions Canada ("OSFI") released a
memorandum and self-assessment guideline for Federally Regulated
Financial Institutions ("FRFIs") to assist with
assessing, developing, and maintaining effective cyber security
practices.1 OSFI expects senior management of FRFIs to
review cyber risk management policies to ensure they remain
effective in light of changing circumstances and risks.
OSFI cites the increased frequency and sophistication of recent
cyber-attacks, the increasing reliance on technology, the
interconnectedness of the financial sector and the critical role
that FRFIs play in the economy as reasons why FRFIs are expected to
have an appropriate and effective cyber management policy.
Cyber security self-assessment template
OSFI's template sets out certain desirable properties and
characteristics of cyber security practices that a FRFI could use
when assessing and planning enhancements to their cyber security
framework. OSFI encourages FRFIs to reflect their current state of
cyber security practices, rather than their target state, and to
consider cyber security on an enterprise-wide basis. OSFI suggests
that FRFIs rate their current degree of maturity on a scale of 1 to
4 (4 being fully implemented; 1 being not implemented). The six
categories of assessment are:
1. organization and resources: whether the
FRFI has established clear accountability and ownership of, and
financial resources for, the cyber security framework including
whether there are cyber security staff properly screened and
2. cyber risk and control: whether the
FRFI has proper processes to conduct regular and comprehensive
cyber risk assessment including assessments of outsourcing
arrangements and critical IT service providers and whether the FRFI
undertakes regular vulnerability scans, testing with third party
cyber mitigation services and simulation exercises.
3. situational awareness: whether the FRFI
maintains a knowledge base of users, devices and applications and
their relationships to software, hardware and the FRFI network;
whether the FRFI properly records and stores a history of security
event information, conducts automated analysis of security events,
conducts additional expert analysis, and whether the FRFI monitors
and tracks security incidents in the financial services industry
and more broadly where relevant.
4. threat and vulnerability risk management:
whether the FRFI has tools implemented to prevent unauthorized data
from leaving the institution, monitoring outgoing traffic and
properly safeguarding data; whether the FRFI has installed standard
security tools and whether there are proper methods of defence to
prevent DDos attacks and the proper tools implemented to secure
mobile devices and wireless networks.
5. cyber security incident management:
whether the FRFI has the ability to monitor, analyze, and quickly
respond to material cyber security incidents; whether there are
appropriate internal and external communication plans in place to
address cyber security incidents; and whether there are appropriate
post-incident review processes.
6. cyber security governance: whether the FRFI
has the appropriate enterprise-wide policies, risk management
procedures, auditing, and external benchmarks of such policies and
procedures; whether there is proper oversight from senior
management and board of directors.
OSFI recognizes that many FRFIs likely already have their own
internal assessment process for such cyber-security related
procedures. The OSFI memo and guideline are provided to assist in
FRFI self-assessment activities and OSFI states that it does not
currently plan on establishing specific guidance for control and
management of cyber risk. However, OSFI has indicated that it may
request a FRFI to complete the template or otherwise emphasize
cyber-security practices during future supervisory assessments,
which it describes as is in line with its enhanced focus on cyber
security as highlighted in its Plan and Priorities for
The Canadian Office of the Superintendent of Financial Institutions ("OSFI") recently ruled that a bank cannot promote comprehensive credit insurance ("CCI") within its Canadian branches under the Insurance Business (Banks and Bank Holdings Companies) Regulations (the "Regulations").
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).