On July 13, 2022, the Office of the Superintendent of Financial Institutions Canada (OSFI) issued the final version of Guideline B-13: Technology and Cyber Risk Management (Guideline B-13), concluding OSFI’s review of technology and cyber risk management for Federally Regulated Financial Institutions (FRFIs). In issuing the new guideline, OSFI acknowledged that there is no one-size-fits-all approach for managing technology and cyber risks, given the unique risks and vulnerabilities that vary among FRFIs due to the size, nature, scope, and complexity of their respective operations and risk profiles. In addition, in light of the feedback received during the three-month consultation on draft Guideline B-13 back in November 2021, OSFI confirmed that Guideline B-13 should be read, and implemented, from a risk-based perspective that allows FRFIs to compete effectively and take full advantage of digital innovation, while maintaining sound technology risk management.
OSFI’s focus for managing technology and cyber risks has been welcomed by FRFIs in light of the widespread use of technology by FRFIs and the growing rate of cyber incidents in recent years. Guideline B-13 is the product of an extensive consultation process which began with the publication of OSFI’s discussion paper on technology and related risk back in September 2020 (the Discussion Paper) and a consultation period from September to December 2020. Following the release of OSFI’s draft Guideline B-13 in November 2021, OSFI carried out a further three-month consultation on its proposed guidance regarding technology and cyber risk. In June 2022, OSFI published its summary response to consultation feedback on draft Guideline B-13. Guideline B-13 now proposes to provide FRFIs with greater resilience to technology and cyber risks while also enabling FRFIs to be competitive and take full advantage of digital innovation.
The final Guideline B-13 will be effective as of January 1, 2024, to provide FRFIs with sufficient time to self-assess and ensure compliance with the new guideline. Guideline B-13 is contemplated by OSFI’s existing guidance and tools, including the Corporate Governance Guideline, Guideline E-21 (Operational Risk Management), the revised draft Guideline B-10 (Third-party Risk Management), the Technology and Cyber security Incident Reporting Advisory and the Cyber Security Self-Assessment tool.
Changes to Guideline B-13
Following publication of the feedback from interested stakeholders during the consultation process, OSFI finalized its expectations for how FRFIs should manage technology and cyber risks such as data breaches, technology outages and more. Compared with the draft consultation version, OSFI noted that Guideline B-13 is more streamlined and less prescriptive, with clearer definitions and expectations. As a result, it is hoped that this guideline will provide FRFIs with a flexible principles-based approach towards managing technology and cyber risks that takes into consideration the variation in size, nature, scope and complexity of operations among financial institutions. The following are some of the material changes OSFI has implemented in Guideline B-13 since the draft consultation version of the guideline was circulated by OSFI:
OSFI removed several expectations and examples that were overly prescriptive in certain areas and included fewer prescriptive expectations and examples, with added emphasis on approaching Guideline B-13 from a risk-based perspective.
In particular, OSFI revised the following areas to include fewer prescriptive expectations and examples: the System Development Life Cycle (SDLC) framework phases, security requirements and coding principles; the technology services that should be measured, monitored and regularly reviewed for improvement; the data protection and loss prevention security controls that should be implemented; what security configuration baselines are enforced and managed; and how and where physical access controls and processes are applied.
Guideline B-13 has now been streamlined and organized around three “domains”, instead of the earlier five domains. Each domain sets out key components for sound risk management. The three domains are as follows: (1) Governance and Risk Management, (2) Technology Operations and Resilience, and (3) Cyber Security.
OSFI has achieved this change by moving third-party expectations to the revised draft Guideline B-10, which is currently the subject of a three-month consultation, ending on July 27, 2022, and by consolidating and streamlining Technology Operations and Resilience domain together. With respect to each of the three domains, OSFI sets out the key components, including desired outcomes, to help FRFIs understand OSFI’s expectations.
In its updated guidance, OSFI clarified a number of definitions. In particular, OSFI updated the definition of “Technology Risk” by advancing a single definition that includes cyber risk. Guideline B-13 also includes a definition for SDLC.
It is noted in the guidance that Guideline B-13 definitions are informed by definitions used by recognized standard setting bodies. In addition, for technical terms used throughout the guideline, FRFIs may employ definitions published by recognized standard-setting bodies.
During the consultation process, respondents had identified expectations that were overlapping and confusing in some areas. As a result, OSFI clarified these in Guideline B-13, in addition to removing or consolidating expectations, where appropriate.
OSFI removed the following prescriptive expectations and examples from Guideline B-13: the inventory that captures all technology assets that support the business; how additional security controls are applied for external facing services; how cyber security defence controls are maintained for hosts, endpoints and mobile devices; how networks are protected; and how to continuously test and create simulations to improve responses.
In addition, OSFI added further clarity to the disaster recovery section which is now included under the Technology Operations and Resilience domain.
The new Guideline B-13 provides enhanced regulatory guidance for FRFIs on technology and cyber risk management while also allowing them to compete effectively and take full advantage of digital innovation. It is hoped that this guideline will support FRFIs in the ever-changing technological environment while also providing them with greater protection from, and awareness to, cyber incidents.
With an effective date of January 1, 2024, OSFI has provided all FRFIs with sufficient time to review and consider Guideline B-13 to determine what actions, if any, need to be taken to ensure compliance with this new guideline. When reviewing Guideline B-13, FRFIs should ensure that it is read, and implemented, from a risk-based perspective, along with ensuring compliance with other applicable laws regarding privacy and cyber security. In addition, when applying the principles of Guideline B-13, FRFIs should consider the size, complexity, and nature of their operations in order to determine the appropriate cyber and risk management practices to implement.
Moreover, FRFIs should review Guideline B-13 in tandem with OSFI’s existing guidance and tools, including the Corporate Governance Guideline, Guideline E-21, Guideline B-10, the Technology and Cyber security Incident Reporting Advisory and the Cyber Security Self-Assessment tool to ensure further compliance.
Each FRFI should work with their lead supervisor if they have any questions regarding Guideline B-13 and how it may impact the FRFI’s operations.
Dentons Canada’s Insurance Regulatory group is pleased to assist with any questions you may have regarding Guideline B-13.