Insurance Company Meets OSFI B-13 Cyber Security Requirements

Customer Challenge

In 2022, the Office of the Superintendent of Financial Institutions (OSFI) of Canada released its final version of Guideline B-13 - Technology and Cyber Risk Management. These guidelines, effective January 1, 2024, establish expectations for how federally regulated financial institutions (FRFIs)* should manage technology and cyber risks across three domains: Governance and Risk Management; Technology Operations and Resilience; Cyber Security.  

An insurance company with operations across Canada ingests data into their AWS storage environment from external sources via managed file transfer as well as uploaded attachments via a web application. Since the data is unknown, it introduces cyber risk into their environment because it could contain malicious code. 

As an FRFI, they are subject to Guideline B-13 and were focused on meeting expectations within the Cyber Security domain pertaining to: 

• Proactively identifying security risks (3.1.1)

• Implementing defence controls for malware and viruses (3.2.4)

In addition to needing to scan data for malware, the company needed to account for Canadian data residency requirements and multiple AWS accounts. Moreover, the company was on a tight timeline as they were looking to comply with B-13 by the effective date, which was a few months away. They wanted a solution that could be implemented quickly and that would scan data going into AWS storage without delaying or disrupting the flow of data.

Partner Solution

The company searched for an antivirus solution that was easy to use yet non-intrusive and highly configurable. After discovering Cloud Storage Security (CSS) in AWS Marketplace, they reached out to initiate a proof of concept (POC).

The company liked that CSS's antivirus solution is an automated, cloud-native serverless solution that runs in their AWS account. Deployment was streamlined via an AWS CloudFormation Template and they were up and running the same day. During the POC, CSS supported the company in deploying the solution in a centralized security services account to meet the company’s internal technical requirements. 

CSS also assisted the company in determining which of the multiple available scan models was the best fit for each workflow. For data ingested via managed file transfer, the company implemented CSS’s event-driven scanning model because it scans high volumes of very large files in real time as they are dropped into Amazon Simple Storage Service (Amazon S3) without impacting the rate of data ingestion and without slowing down downstream processing. For files uploaded by web application users, they implemented CSS’s API driven scanning model because it synchronously scans files in real time before they are written so that only safe, clean files are uploaded and stored in Amazon S3. 

Results and Benefits

By using CSS's antivirus solution, the company is now:

• Meeting Guideline B-13 controls: The solution automatically updates virus definitions and easily integrates findings for potential threats into their SecOps process, which helps them meet controls within Guideline B-13. Plus all findings are logged and readily available in case of an audit.

• Maintaining data residency: Data doesn’t leave the insurance company's AWS account structure or local regions for scanning purposes, helping them maintain Canadian data residency requirements.

• Scanning without disruption: The solution’s multiple scan models provide the flexibility to implement a scanning process that best fit each of their workflows.

• Scanning any size and type of tile: The ability to use a name-brand enterprise scanning engine ensures files of all sizes are scanned.

• Scanning across accounts: All of their AWS accounts, regions and buckets are covered through a linked account setup, saving time.

Moving forward with Cloud Storage Security

FRFIs interested in evaluating CSS solutions can subscribe to a 30 day free trial in AWS Marketplace or contact CSS to discuss a POC.

*Canadian FRFIs comprise banks, trust companies, loan companies, life insurance companies, fraternal benefit societies, and property and casualty insurance companies.