The Office of the Superintendent of Financial Institutions (OSFI) released its final Guideline B-13, setting out the agency’s expectations for how federally regulated financial institutions (FRFIs) should manage technology and cyber risks, including data breaches and technology outages.

The report includes three domains – governance and risk management, technology operations and cyber security – and discusses key components of each, including desired outcomes, to help institutions understand OSFI’s expectations.

The document was first discussed with the industry in a 2020 consultation and a further consultation when it released a draft guideline in November 2021. “Compared with the draft consultation version, the final Guideline B-13 is more streamlined and less prescriptive, with clearer definitions,” the agency writes in a statement accompanying the release of the new guideline.

“These expectations aim to support FRFIs in developing greater resilience to technology and cyber risks,” they add in its introduction.

17 principles 

The report goes on to discuss 17 principles. “Senior management should assign responsibility for managing technology cyber risk to senior officers. It should also ensure an appropriate organizational structure and adequate resourcing are in place for managing technology and cyber risks,” they begin with principle 1.

They go on to say companies should ensure that appropriate structures, resources and training are provided, and companies should promote a culture of risk awareness in relation to technology and cyber risk throughout the institution.

FRFIs should also define, document and implement strategic technology and cyber plans, they continue, before elaborating on the plan’s required elements. The guideline also discusses cyber risk management frameworks and processes for managing, monitoring and reporting technology and cyber risks, their key elements, and states that these frameworks should be continuously improved.

Risk identification and assessment 

“FRFI’s should maintain an updated inventory of all technology assets supporting business processes or functions. FRFI’s asset management processes should address classification of assets to facilitate risk identification and assessment, record configurations to ensure asset integrity, provide for the safe disposal of assets at the end of their lifecycle, and monitor and manage technology currency,” they add.

The inventory that institutions are required to maintain includes a catalogue of assets both owned and leased by the companies, along with an inventory of third-party assets that store and process the company’s information or support critical business services.

The guideline also discusses project management, change and release management, patch management, incident and problem management, service measurement and monitoring, disaster recovery – the guideline stipulates that disaster recovery scenarios are tested and what they should test – threat assessment and testing, an assessment and ranking of vulnerabilities, continuous situational awareness, forensic investigation abilities and threat modelling.

OSFI says the guideline will be effective January 1, 2024, to give institutions sufficient time to self-assess and ensure their compliance.