Setting New Standards For Cyber Resilience: OSFI's Draft Guideline On Technology And Cyber Risk Management – Finance and Banking – Canada – Mondaq News Alerts

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.
On November 9, 2021, the Office of the Superintendent of Financial Institutions Canada (OSFI) published Draft Guideline B-13: Technology and Cyber Risk Management (“Draft Guideline”), which outlines OSFI's expectations for federally regulated financial institutions (FRFIs) regarding technology and cyber risk management. The Draft Guideline would apply to all FRFIs, including banks and insurance companies, with the stated objective of helping FRFIs develop “greater resilience to technology and cyber risks”. Effective November 9, 2021, OSFI is also conducting a three-month public consultation on the Draft Guideline to engage stakeholders in its development and is inviting public comments until February 9, 2022.
The Draft Guideline uses materially similar definitions for “technology risks” and “cyber risks”:
Although these definitions both capture risks to information technology systems and the potential for financial loss, a key distinguishing feature is that cyber risks also include risks to the data hosted in information technology systems as distinct from the technology itself, whereas technology risks also include risks to other infrastructure, people, and processes. Further, cyber risks encompass a broader range of potential harms, including operational disruption and reputational damage.
The Draft Guideline is organized into five domains: Governance and Risk Management, Technology Operations, Cyber Security, Third-Party Provider Technology and Cyber Risk, and Technology Resilience. Each domain sets out OSFI's expectations, the key components of sound technology and cyber risk management, the desired risk management outcome, and guiding principles, which are summarized in the table below. FRFIs will be evaluated on these expectations commensurate with their size, the nature, scope, complexity of their operations, and their risk profiles:
Domain 1
Governance and Risk Management
Expectations: Sets OSFI's expectations on formal accountability, leadership, organizational structure and framework used to support risk management and oversight of technology and cyber security.
Desired Outcome: Technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks.
Principles (1 to 3):
Domain 2
Technology Operations
Expectations: Sets OSFI's expectations on management and oversight of risks related to the design, implementation and management of technology assets and services.
Desired Outcome: A technology environment that is stable, scalable and resilient. The environment is kept current and supported by robust and sustainable technology operating processes.
Principles (4 to 11):
Domain 3
Cyber Security
Expectations: Sets OSFI's expectations on management and oversight of cyber risk.
Desired Outcome: A secure technology posture that maintains the confidentiality, integrity and availability of the FRFI's technology assets.
Principles (12 to 15):
Domain 4
Third-Party Provider Technology and Cyber Risk
Expectations: Expands on OSFI's existing guidance for outsourcing and third-party risk, and sets expectations for FRFIs that engage with third-party providers to obtain technology and cyber services that give rise to cyber and/or technology risk.
Desired Outcome: Reliable and secure technology and cyber operations from third-party providers.
Principles (16):
Domain 5
Technology Resilience
Expectations: Sets OSFI's expectations on the capabilities to deliver technology services through operational disruption.
Desired Outcome: Technology services are delivered, as expected, through disruption.
Principles (17):

The Draft Guideline acknowledges that technology and cyber security best practices are fluid and dynamic, and encourages FRFIs to also consult other OSFI guidance, tools and supervisory communications, along with other applicable guidance from relevant authorities, particularly the following:
OSFI's three-month public consultation is intended to reflect continued stakeholder engagement and transparency on the Draft Guideline, and to assist OSFI in striking a balance between its prudential objectives and facilitating the ability of financial institutions to compete. Public comments are particularly welcomed by OSFI on:
Comments can be submitted to [email protected] by February 9, 2022. OSFI is also planning an information session for financial institutions within the coming weeks to provide an overview of the Draft Guideline and an opportunity for questions.
The publication of the Draft Guideline is pursuant to OSFI's Near-Term Plan of Prudential Policy published on May 6, 2021 (“Near-Term Plan”), which expressly committed OSFI to developing OSFI's expectations on technology and cyber risk management in Q4 of 2021. As indicated in the Near-Term Plan and Draft Guideline, OSFI's next objective is to update Guideline B-10: Outsourcing of Business Activities, Functions and Processes in Q1 of 2022, and to expand its scope of third-party risk management beyond outsourcing. Accordingly, FRFIs and their third-party providers can expect additional significant regulatory developments and should begin to strategically prepare for the potential impact on their operations.
FRFIs should review their technology and cyber risk management frameworks and third party service agreements to prepare for OSFI's new focus on these issues. Although the Draft Guideline is subject to further development after the public consultation, FRFIs should expect that its key themes will generally be maintained, and that its final expectations will go beyond making additional investments in information technology and security. While these are of course critical to any technology and cyber risk management framework, FRFIs may also need to revisit their practices with respect to governance, risk accountability, asset management, and relationships with third-party providers. For their part, third-party providers that provide information technology and other services to FRFIs may also need to revisit their Canadian financial industry templates and related practices to account for these new regulatory developments.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
  © Mondaq® Ltd 1994 – 2021. All Rights Reserved.

Passwords are Case Sensitive

Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.