OSFI Guideline B-13 at a Glance

The Office of the Superintendent of Financial Institutions (OSFI) released its final version of Guideline B-13, Technology and Cyber Risk Management, on July 31, 2022 to outline expectations for managing risks across three domains: (1) Governance and Risk Management; (2) Technology Operations and Resilience; (3) Cyber Security.  

The Guideline applies to all federally regulated financial institutions (FRFIs) including banks, life Insurance and fraternal companies, property and casualty companies, trust and loan companies, foreign bank branches and foreign insurance branches.  

B-13 directly supports OSFI’s Integrity and Security Guideline, released January 31, 2024, which requires FRFIs to submit to OSFI a comprehensive action plan that details how expectations will be met, including “interim deliverables to achieve compliance” by July 31, 2024. 

This article includes B-13 principles verbatim while paraphrasing Guideline B-13 expectations pertaining to each principle. As always, refer to OSFI Guideline B-13 directly to assess and establish compliance.

Domain 1: Governance and Risk Management

1.1 Accountability and organizational structure

Principle 1: Senior Management should assign responsibility for managing technology and cyber risks to senior officers. It should also ensure an appropriate organizational structure and adequate resourcing are in place for managing technology and cyber risks across the FRFI.

Senior Management is accountable for technology and cyber security operations and should assign governance to key roles such as the CTO, CIO, and CISO. It is also essential to establish a well-structured organization to manage risk, with clearly defined roles, adequate resources and expertise, and proper training; promote a culture of risk awareness related to technology and cyber risks throughout the organization.

1.2 Technology and cyber strategy

Principle 2: FRFIs should define, document, approve and implement a strategic technology and cyber plan(s). The plan(s) should align to business strategy and set goals and objectives that are measurable and evolve with changes in the FRFI’s technology and cyber environment.

The plan should be forward-thinking, encompassing, and quantifiable. Include potential and planned modifications for both internal and external environments. Clearly outline objectives, opportunities, threats, and progress indicators, along with how operations will support the business strategy.

1.3 Technology and cyber risk management framework

Principle 3: FRFIs should establish a technology and cyber risk management framework (RMF). The framework should set out a risk appetite for technology and cyber risks and define FRFI’s processes and requirements to identify, assess, manage, monitor and report on technology and cyber risks.

The RMF should align with the FRFI’s enterprise RMF and be regularly updated and enhanced. The technology and cyber RMF should include: risk measurement, control domains, standard processes and policies, management of unique risks, and accountability for risk management as well as oversight functions, and should regularly be reviewed to inform about risk appetites, exposures, and trends.

Domain 2: Technology Operations and Resilience

2.1 Technology architecture

Principle 4: FRFIs should implement a technology architecture framework, with supporting processes to ensure solutions are built in line with business, technology, and security requirements.

Financial institutions should create a robust technology architecture framework that aligns with their strategic, security, and business objectives. This comprehensive architecture, considering all aspects like infrastructure, applications, and new technologies, must be designed with a focus on scalability, security, and resilience, meeting the evolving needs of the business.

2.2 Technology asset management

Principle 5: FRFIs should maintain an updated inventory of all technology assets supporting business processes or functions. FRFI’s asset management processes should address classification of assets to facilitate risk identification and assessment, record configurations to ensure asset integrity, provide for the safe disposal of assets at the end of their life cycle, and monitor and manage technology currency.

FRFIs should establish and maintain robust technology asset management standards, which include cataloging and categorizing assets based on risk tolerance, ensuring safe disposal methods are in place, and regularly analyzing and managing the currency of software and hardware assets used in their operations. This should be complemented by a detailed inventory system that records and manages tech asset configurations, highlights critical technology assets, and documents their interdependencies for optimal security and operational incident response.

2.3 Technology project management

Principle 6: Effective processes are in place to govern and manage technology projects, from initiation to closure, to ensure that project outcomes are aligned with business objectives and are achieved within the FRFI’s risk appetite.

Technology initiatives, notable for their scale, necessary resources, and strategic relevance, ought to operate within an organization-wide management structure. This framework allows for uniform methods and successful project results, while ensuring constant performance evaluation, risk assessment, and periodic reporting in line with the company's tech strategy.

2.4 System Development Life Cycle

Principle 7: FRFIs should implement a System Development Life Cycle (SDLC) framework for the secure development, acquisition and maintenance of technology systems that perform as expected in support of business objectives.

The SDLC framework, incorporating principles like Agile or Waterfall, should guide system and software development and include security, functionality, and performance measures to attain business goals. It's crucial to integrate development, security, and technology operations to swiftly deliver secure applications. Any acquired systems or software should undergo risk assessments to meet the SDLC framework's control requirements, with coding principles defined and implemented to ensure secure, stable code.

2.5 Change and release management

Principle 8: FRFIs should establish and implement a technology change and release management process and supporting documentation to ensure changes to technology assets are conducted in a controlled manner that ensures minimal disruption to the production environment.

It's crucial that alterations to technology assets are meticulously overseen, from documentation to verification, including defining emergency change protocols to ensure security. To prevent unauthorized changes, duties within the change management process should be divided, while maintaining a traceable and integral change record throughout each stage of the process.

2.6 Patch management

Principle 9: FRFIs should implement patch management processes to ensure controlled and timely application of patches across its technology environment to address vulnerabilities and flaws.

A robust patch management procedure, aligning with change management processes, ensures swift and controlled application of patches. Clear roles are defined among stakeholders, and each patch undergoes testing before being deployed into the production environment.

2.7 Incident and problem management

Principle 10: FRFIs should effectively detect, log, manage, resolve, monitor and report on technology incidents and minimize their impacts.

FRFIs should set up robust standards and procedures to manage incidents, minimizing disruptions to affected systems and business processes through timely identification, escalation, and resolution. Incident management should be well-structured, responsive, risk-based, and include clearly outlined roles, early detection indicators, prioritization based on business impact, and proactive response procedures, all subjected to regular testing for effectiveness. Additionally, mechanisms should be in place for investigating and resolving incidents, leveraging insights from post-incident reviews and trend analysis to continuously improve incident management protocols and control processes.

2.8 Technology service measurement and monitoring

Principle 11: FRFIs should develop service and capacity standards and processes to monitor operational management of technology, ensuring business needs are met.

FRFIs need to establish and regularly review performance metrics for technology services, including remediation processes for unmet targets. Furthermore, they should outline and continuously monitor performance and capacity requirements to ensure technology infrastructure can support both current and evolving business needs.

2.9 Disaster recovery

Principle 12: FRFIs should establish and maintain an Enterprise Disaster Recovery Program (EDRP) to support its ability to deliver technology services through disruption and operate within its risk tolerance.

FRFIs are expected to create, enforce, and sustain an Effective Disaster Recovery Program (EDRP) that outlines their method for restoring technological services following disruptions. This includes allocating responsibilities for recovery actions, identifying vital technologies, ensuring data backup and recovery processes, and aligning with the broader business continuity program. Also, it is crucial to manage key dependencies such as data security requirements and technology asset location for effective support of the EDRP.

Principle 13: FRFIs should perform scenario testing on disaster recovery capabilities to confirm its technology services operate as expected through disruption.

To encourage continuous improvement and resilience, FRFIs should consistently validate their disaster recovery strategies against potential scenarios, including emergent risks, significant business or tech changes, and situations contributing to prolonged outages. These scenarios should assess the organization's backup and recovery capacities, along with critical third-party technologies and their dependencies, both on- and off-premises.

Domain 3: Cyber Security

3.1 Identify

Principle 14: FRFIs should maintain a range of practices, capabilities, processes and tools to identify and assess cyber security for weaknesses that could be exploited by external and insider threat actors.

FRFIs are urged to proactively identify and assess emerging security risks, effectively utilizing tools and processes for rigorous threat assessment and testing. This includes conducting regular vulnerability assessments, continuously maintaining situational awareness of the external threat landscape, and promoting cyber awareness inside the organization. Furthermore, they should safeguard classified data, engage in threat modeling and hunting, and consistently monitor and report on the organization's cyber risk profile.

3.2 Defend

Principle 15: FRFIs should design, implement and maintain multi-layer, preventive cyber security controls and measures to safeguard its technology assets.

FRFIs need to establish a comprehensive security framework, beginning with secure-by-design practices and strong cryptographic technologies to protect their technology assets. Key strategies should include a multi-layered approach to cybersecurity controls, robust identity and access management, data protection throughout its lifecycle, and timely remediation of security vulnerabilities. In addition, application of enhanced controls for critical resources, strict enforcement of configuration baselines, rigorous application scanning/testing, and physical access controls are crucial in effectively combating cyber threats.

3.3 Detect

Principle 16: FRFIs design, implement and maintain continuous security detection capabilities to enable monitoring, alerting and forensic investigations.

FRFIs must ensure uninterrupted, centralized security logging to facilitate prompt investigations during cyber threats. The detection of malicious and unauthorized activities through advanced methods and intelligence should be continuous. There should be defined roles to swiftly address high-risk cyber security alerts, preventing significant operational disruptions.

3.4 Respond, recover and learn

Principle 17: FRFIs should respond to, contain, recover and learn from cyber security incidents impacting their technology assets, including incidents originating at third-party providers.

FRFIs need to integrate and align their incident response capabilities across all sectors including cyber security, technology, crisis management and communication. This will facilitate rapid response to cyber incidents, including defining and implementing a cyber incident taxonomy that supports incident management. Establishment of a dedicated response team and maintenance of processes and tools can ensure effective incident handling, while carrying out forensic investigations and root cause analysis aids in identifying vulnerabilities and learning lessons for future prevention.

This summary is for informational purposes only, does not claim to be accurate or complete, and does not constitute legal or compliance advice.