On October 28, 2013, OSFI released Cyber Security Self-Assessment Guidance (the Guidance) for federally regulated financial institutions (FRFIs). While the Guidance only applies to FRFIs, service providers to FRFIs will feel a "trickle-down" effect and, therefore, should familiarize themselves with the Guidance.
With cyber attacks becoming more frequent and more sophisticated, cyber security has grown in importance internationally, as well as in Canada, in recent years. Earlier this spring, in response to its growing concerns regarding "the rapid evolution of cyber attacks in terms of frequency, fire power and targets," the Office of the Superintendent of Financial Institutions (OSFI) identified cyber risk as one of its top priorities and indicated that one of OSFI's new initiatives would be the "in-depth review of institutions' current cyber protection practices."
OSFI, Canada's federal financial institutions regulator, indicates in the Guidance that it "expects FRFI Senior Management to review cyber risk management policies and practices to ensure that they remain appropriate and effective in light of changing circumstances and risks." The purpose of the Guidance, as explained by OSFI, is to assist FRFIs to assess their current level of preparedness to address cyber security risks and to develop and maintain effective cyber security practices.
Unlike the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) Preliminary Cybersecurity Framework, which was released for public comment on October 22, 2013, the Guidance does not prescribe a common language or mechanism for FRFIs to control and manage cyber security risk nor does it expressly build on existing standards, guidance and best practices for managing cyber security risk. In fact, in the Guidance, OSFI indicates that it "does not currently plan to establish specific guidance for the control and management of cyber risk."
Rather, the Guidance sets forth an 11-page self-assessment template that sets out "desirable properties and characteristics of cyber security practices that could be considered by a FRFI when assessing the adequacy of its cyber security framework and when planning enhancements to its framework."
The self-assessment template sets out six broad areas, each of which sets out more specific cyber security preparedness principles that form the criteria for the self-assessment. For each criterion, FRFIs are to rate their current degree of maturity on a scale of one to four (with "one" meaning that the FRFI has not yet implemented the principle, and with "four" meaning that the FRFI has fully implemented the principle enterprise-wide). It is worthwhile to note that in the template, FRFIs are urged to consider cyber security practices on an enterprise-wide basis. This theme is echoed in a number of the criteria in the template.
The following identifies each of the six broad areas covered in the template and provides a brief overview of the associated criteria:
Organization and Resources – The criteria relate to the FRFI's establishment of accountability and ownership of, and financial resources for, its cyber security framework; the FRFIs organizational structures and capabilities for managing cyber security; and cyber security employee training and awareness. Interestingly, one of the criteria is whether the FRFI has a centrally managed group of cyber security specialists that is responsible for threat intelligence, threat management and incident response.
Cyber Risk and Control Assessment – The criteria relate to the FRFI's processes for assessing cyber risk across all business lines and geographies; the assessment and mitigation of cyber risk arising from material outsourcing arrangements and critical IT service providers; the consideration of cyber risk in change management processes and due diligence processes; security testing of IT assets, infrastructure and network systems; conduct of cyber attack and recovery simulations; and impact assessment of extended, nationwide Internet outages.
Situational Awareness – The criteria relate to the FRFI having enterprise-wide knowledge base of its users, devices, applications and their relationships; central storage of historical security event information; analysis of security event information; monitoring and tracking cyber security incidents in the industry and more broadly; and subscribing to industry research on cyber security.
Threat and Vulnerability Risk Management – The criteria relate to the FRFI's implementation of tools and controls for data loss detection/prevention and cyber incident detection and mitigation; the FRFI's implementation of security-related processes and controls for software, network infrastructure, configuration management, and network access and management; the FRFI's management of cyber security risk in material outsourcing arrangements and arrangements with critical IT service providers through due diligence; and provision of cyber security awareness and information to customers and clients and taking additional actions to protect customers and clients.
Cyber Security Incident Management – The criteria relate to the FRFI's incident management framework and associated processes and procedures (including change management processes, incident escalation protocols and communications protocols) and their ability to support rapid response to cyber security incidents, as well as to support service recovery, systems integrity and loss or recovery of data and post-incident review of cyber security incidents.
Cyber Security Governance – The criteria are divided into five subcategories. The first category relates to the FRFI's establishment of an enterprise-wide cyber security policy that is linked to other relevant risk management policies, as well as the establishment of a cyber security strategy (and implementation plan) that is aligned with the FRFI's business plan. The second category relates to the FRFI's risk management approach to cyber security risk. The third category relates to the FRFI's internal audit practices as they relate to cyber security. The fourth category relates to the participation and role of FRFI's senior management and board in addressing cyber risk and implementing the FRFI's cyber security framework. The fifth and final category relates to the FRFI conducting an external benchmarking review of its cyber security framework.
FRFIs are well advised to take notice of the Guidance as OSFI clearly states that "OSFI may request institutions to complete the template or otherwise emphasize cyber security practices during future supervisory assessments."
Although the Guidance applies only to FRFIs, ripple effects are anticipated to be felt by outsourcing service providers and critical IT service providers to FRFIs. Since a number of criteria against which FRFIs are to self-assess relate to arrangements with material outsourcing providers and critical IT service providers (including related subcontracting arrangements), FRFIs may look to such providers to provide a similar self-assessment. In addition, service providers to FRFIs may be asked by FRFIs to subject themselves to more rigorous security reviews (not only as part of initial due diligence, but also during the term of the arrangement), as the template includes criteria respecting security due diligence and monitoring the level of cyber risk preparedness for material outsourcing arrangements and critical IT service providers. Finally, service providers to FRFIs may be asked by FRFIs to include in their services contracts more fulsome security terms and conditions that incorporate some of the principles set out in the Guidance.