Federally regulated institutions to be subject to new cyber-resilience testing

The Office of the Superintendent of Financial Institutions (OSFI) announced April 21 that has published a new implementation guide and framework for federally regulated financial institutions (FRFIs), including internationally active insurance groups, outlining a methodology for testing which proactively identifies and addresses cyber resilience issues. 

The Intelligence-Led Cyber Resilience Testing (I-CRT) framework, intended to enhance institutions’ resilience against sophisticated attacks, was developed over 18 months, in consultation with the industry. The development included a pilot project conducted with institutions in both the banking and insurance sectors.

“OSFI expects FRFIs to have measures in place that create resilience against cyber attacks and disruptions,” they write in an announcement about the publication of the new framework. “The I-CRT framework is a supervisory tool.” 

The statement goes on to say OSFI recommends institutions conduct an I-CRT assessment at least once during each three-year supervisory cycle, beginning in 2023. The need for an assessment can also be event-driven.

“This framework is a how-to guide to follow when conducting OSFI’s Intelligence-Led Cyber Resilience Testing (I-CRT) assessments. This document is not a policy instrument used to set regulatory expectations,” the implementation guide states. “The purpose of this document is to outline the methodology and process to follow when conducting an I-CRT assessment.” 

They add that the framework allows for a controlled, bespoke, intelligence-led test of an institution’s underlying technology assets and services supporting critical business functions. The activity, sponsored by a senior executive at the FRFI is lead by OSFI, an approach they say allows for collaboration in proactively identifying realistic cyber threats. A control group appointed by the FRFI has overall responsibility for conducting the assessment.