The Office of the Superintendent of Financial Institutions (OSFI) recently launched a three-month public consultation on draft Guideline B-13: Cyber Risk Technology and Management. This draft guideline applies to all federally regulated financial institutions (FRFIs) and provides robust technology and cyber risk management expectations (with desired outcomes) in the following areas:
- Governance and risk management – Technology and cyber risks are governed by clear responsibilities and structures, as well as by comprehensive strategies and frameworks;
- Technological operations – A stable, scalable and resilient technological environment. The environment is kept up to date and supported by robust and sustainable technological operating processes;
- Cybersecurity – A secure technological posture that preserves the confidentiality, integrity and availability of the IFF’s technological assets;
- Third-party technology and cyber risk – Reliable and secure technology and cyber operations from third-party vendors; and
- Technological resilience – Technology services are provided, as planned, on an interruption basis.
OSFI recognizes that best practices in the use of technology and in the management of cyber risk must be dynamic and weighed against other areas of risk. OSFI recommends that FRFIs review this draft guideline in conjunction with other applicable guidelines, regulatory tools and supervisory communications. This includes OSFI Guideline E-21 (Operational Risk Management), Guideline B-10 (Outsourcing of Business Activities, Functions and Processes), Technology and Management Incident Reporting Notice. cybersecurity and the cybersecurity self-assessment tool.
Comments can be submitted to [email protected] before February 9, 2022.
“OSFI welcomes public comments on the draft B-13 guideline and is particularly interested in comments on:
• The clarity of OSFI’s expectations, as articulated in the draft guideline;
• The application of these expectations, depending on the size, nature, scope and complexity of the institution’s operations;
• The balance between principles and the prescriptive nature of OSFI’s expectations; and
• Other suggestions that contribute to OSFI’s mandate to protect depositors and policyholders, and maintain public confidence in the Canadian financial system, while allowing institutions to be competitive and take reasonable risks.