Written by Stephen Burns, Michael Whitt, Sébastien Gittens, Ruth Promislow, Matthew Flynn, HC Lee and Amy Wong
On November 9, 2021, the Office of the Superintendent of Financial Institutions (OFSI) launched a three-month public consultation on the Draft Guideline B-13: Technology and Cyber Risk Management.
The Draft Guideline sets out OSFI's expectations with respect to “technology and cyber risk management” applicable to federally regulated financial institutions (FRFIs), such as banks, federally incorporated or registered trust and loan companies, insurance companies and pension plans subject to federal oversight. In particular, the Draft Guideline outlines various expectations regarding the development of robust management frameworks and policies by FRFIs to identify, respond to and recover from technology and cyber risks.
The Draft Guideline set outs five "domains" detailing the scope of OFSI's expectations. Below is a high-level summary of key points:
- Governance and Risk Management: Senior Management of FRFIs should establish “appropriate organizational structure[s],” which designate clear responsibilities to senior officers and allocate adequate personnel, resources, subject-matter expertise and training. Implementation of this domain includes the establishment of a technology and cyber risk management framework that includes "policies, standards and processes governing all domains of technology and cyber risk, which are approved, regularly reviewed and consistently implemented enterprise-wide."
- Technology Operations: FRFIs should maintain “stable, scalable and resilient” technological environments. A FRFI's architecture framework should facilitate enterprise-wide IT architecture that supports its business goals and security requirements. Technology assets and systems should be monitored to ensure their stability, currency and effectiveness. Implementation of this domain includes: (i) taking inventory of "all technology assets that support the business"; (ii) continuous assessment of the currency of the FRFI's software and hardware assets; and (iii) having measures in place for the effective management of technology incidents.
- Cyber Security: FRFIs should adopt procedures that ensure their data is kept confidential, intact and available. A FRFI's policies should identify cybersecurity weaknesses, as well as arrange for preventive controls and ongoing security detection measures. Implementation of this domain includes: (i) intelligence-led threat/vulnerability assessments and testing; (ii) data mapping, classification and loss prevention controls (including physical access controls and processes); (iii) threat modelling, isolation and remediation; and (iv) where necessary, forensic investigations and root cause analyses.
- Third-Party Provider Technology and Cyber Risk: FRFIs should implement processes that identify and mitigate risks associated with third-party providers. Implementation of this domain includes: (i) entering into formal agreement between a FRFI and its third-party providers that clearly define the parties' respective responsibilities for technology and cyber controls; and (ii) having controls in place to ensure third-party providers comply with the FRFI's technology and cyber standards, including developing cloud-specific requirements.
- Technology Resilience: FRFIs should devise enterprise-wide disaster recovery frameworks, which instruct them on recovering and delivering technological services through a disruption. Implementation of this domain includes ascertaining and managing key dependencies and testing specific disaster recovery scenarios.
While the Draft Guideline provides guidance regarding OSFI's expectations on technology and cyber risk management, a FRFI should implement systems, policies and practices to meet such expectations in a manner consistent with “its size; the nature, scope and complexity of its operations; and [its] risk profile.” FRFIs should also review the Draft Guideline alongside other OSFI materials, in particular those relating to risk management and cybersecurity, and guidance from additional authorities, as applicable.
The Privacy and Data Protection group would be pleased to assist you with respect to any questions on the implementation of the Draft Guidelines, including assisting your organization with participating in the OSFI consultation process.