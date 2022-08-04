On July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI) announced the final version of its new Guideline B-13 – Technology and Cyber Risk Management. The Guideline establishes OSFI's expectations for how federally regulated financial institutions (FRFIs) manage technology and cyber risks. Many FRFIs will be required to make substantial changes to their information technology and cybersecurity policies, practices and procedures before the Guideline comes into effect on January 1, 2024. The Guideline is also an important summary of best practices for other kinds of organizations.

OSFI and cybersecurity

OSFI is an independent agency of the Government of Canada that regulates and supervises FRFIs, including banks, federally incorporated or registered trust and loan companies, insurance companies, and pension plans subject to federal oversight. Over the years, OSFI has emphasized the importance of cybersecurity and issued guidance and requirements to help FRFIs implement policies and practices to manage cyber risks and effectively respond to cyber incidents, including OSFI's Cyber Security Self-Assessment (issued in 2013 and updated in 2021) and OSFI's Advisory on Technology and Cyber Security Incident Reporting (issued in 2019 and updated in 2021). See BLG bulletins OSFI Updates Technology and Cyber Security Incident Reporting Advisory and Regulatory Guidance for Cyber Risk Self-Assessment.

In 2020, OSFI issued a discussion paper and began a consultation on technology risks and resilience in the financial sector. The process resulted in OSFI's new Guideline B-13 and will inform OSFI's proposed updated Guideline B-10 – Third-Party Risk Management (which will replace OSFI's current Guideline B-10 – Outsourcing).

Guideline B-13

Purpose and scope

OSFI's new Guideline B-13 – Technology and Cyber Risk Management (the Guideline) establishes OSFI's expectations for FRFIs' management of technology risks and cyber risks. The Guideline broadly defines "technology risk", which is deemed to include "cyber risk", as referring to "the risk arising from the inadequacy, disruption, destruction, failure, damage from unauthorised access, modifications, or malicious use of information technology assets, people or processes that enable and support business needs, and can result in financial loss and/or reputational damage". The Guideline broadly defines "technology assets" as both tangible and intangible assets, including data and information, that need protection and support the provision of technology services.

The Guideline applies to all FRFIs without exception, but acknowledges that "there is no one-size-fits-all approach for managing technology and cyber risks". The Guideline explains that it "should be read, and implemented, from a risk-based perspective that allows FRFIs to compete effectively and take full advantage of digital innovation, while maintaining sound technology risk management".

The Guideline also explains that it should be read in conjunction with other OSFI guidance, tools and supervisory communications, guidance from the Canadian Centre for Cyber Security, and other recognized frameworks and standards for technology operations and information security.

Layered approach – Outcomes, principles and controls

OSFI explained that the Guideline takes a "layered approach" to presenting OSFI's expectations. The Guideline is organized into three "domains" – Governance and Risk Management, Technology Operations and Resilience, and Cyber Security – with specified outcomes, which are supported by 16 general principles and 57 statements of recommended controls.

The Governance and Risk Management domain sets OSFI's expectations for a FRFI's formal accountability, leadership, organizational structure and framework used to support risk management and oversight of technology and cyber security. The specified outcome is the governance of technology and cyber risks through clear accountabilities and structures, and comprehensive strategies and frameworks.

The Technology Operations and Resilience domain sets OSFI's expectations for a FRFI's management and oversight of risks related to the design, implementation, management and recovery of technology assets and services. The specified outcome is a technology environment that is stable, scalable and resilient, kept current and supported by robust and sustainable technology operating and recovery processes.

The Cyber Security domain sets OSFI's expectations for a FRFI's management and oversight of cyber risk. The specified outcome is a secure technology posture that maintains the confidentiality, integrity and availability of the FRFI's technology assets.

Third-party provider risks

The Guideline does not expressly reference the management of third-party provider technology and cyber risks, which were included in the initial draft of the Guideline. OSFI explained that those risks were removed in response to consultation feedback, and will be addressed in OSFI's updated Guideline B-10 – Third-Party Risk Management.

