OSFI Calls for Consultation on Draft Guidelines for Technology and Cyber Risk Management | Bennett Jones LLP

[co-author: Amy Wong – Articling Student]

On November 9, 2021, the Office of the Superintendent of Financial Institutions (OFSI) launched a three-month public consultation on the draft guideline B-13: Technology and cyber risk management.

The draft guideline sets out the OSFI’s expectations with regard to “technology and cyber risk management” that are imposed on government-regulated financial institutions (FRFIs) such as banks, government-registered or registered trust and credit companies, insurance companies and pension plans that are subject to federal supervision, are applicable. In particular, the draft guidance outlines various expectations for the development of robust management frameworks and policies through FRFIs to identify, respond to and recover from technology and cyber risks.

The draft guideline defines five “domains” that detail the scope of OFSI’s expectations. Below is a high-level summary of the key points:

  1. Governance and Risk Management: The management of FRFIs should put in place an “appropriate organizational structure”[s]“That assigns clear responsibilities to senior executives and assigns appropriate personnel, resources, expertise and training. The implementation of this domain includes the establishment of a technology and cyber risk management framework that includes “guidelines, standards and processes for all domains of technology and cyber risks that are approved, regularly checked and consistently implemented across the company”.
  2. Technology company: FRFIs should maintain “stable, scalable and resilient” technological environments. The architecture framework of an FRFI should enable an enterprise-wide IT architecture that supports its business goals and security requirements. Technology stocks and systems should be monitored to ensure their stability, timeliness and effectiveness. Implementation of this domain includes: (i) an inventory of “all technology resources that support the business”; (ii) continuous currency valuation of the FRFI software and hardware assets; and (iii) arrangements for effective technology incident management.
  3. Online Safety: FRFIs should put in place procedures to ensure that their data remains confidential, intact and available. The guidelines of an FRFI should identify cybersecurity weaknesses and provide for preventive controls and ongoing security detection measures. Implementation of this domain includes: (i) intelligence-based threat / vulnerability assessments and testing; (ii) data mapping, classification and loss prevention controls (including physical access controls and processes); (iii) threat modeling, isolation and remediation; and (iv) forensic investigations and root cause analysis, if necessary.
  4. Third party technology and cyber risks: FRFIs should implement processes that identify and mitigate risks associated with third party vendors. Implementation of this domain involves: (i) entering into a formal agreement between an FRFI and its third party vendors that clearly defines the parties’ respective responsibilities for technology and cyber controls; and (ii) have controls in place to ensure that third party vendors comply with FRFI technology and cyber standards, including the development of cloud-specific requirements.
  5. Technology resilience: FRFIs should develop enterprise-wide disaster recovery frameworks that give them instructions on how to restore and provide technological services in the event of a disruption. Implementing this domain includes discovering and managing key dependencies and testing specific disaster recovery scenarios.

While the draft policy provides guidance on the OSFI’s expectations for technology and cyber risk management, an FRFI should implement systems, policies, and procedures to meet those expectations in a manner that is “its size; Type, scope and complexity of his activities; and [its] Risk Profile. “FRFIs should also review the draft guidance along with other OSFI materials, particularly those related to risk management and cybersecurity, and guidance from additional authorities as appropriate.