On November 9, 2021, the Office of the Superintendent of Financial Institutions (OSFI) launched a three-month public consultation on a new Draft Guideline B‑13: Technology and Cyber Risk Management (Draft Guideline). The publication of the new Draft Guideline follows OSFI’s consultation on technology risks in the financial sector that was launched in September 2020 (see our Blakes Bulletin: Technology Risks and Resilience in the Financial Sector: OSFI Issues Digital Risks Discussion Paper.) OSFI issued a summary of the feedback received from this earlier consultation in May 2021, which is also addressed in the Draft Guideline and related OSFI letter.
The Draft Guideline will apply to all federally regulated financial institutions (FRFIs), including banks, insurers, and trust and loan companies. No exceptions are identified for Canadian branches of authorized foreign banks and foreign insurers, although OSFI notes that FRFIs are to implement the Draft Guideline commensurate with their size, the nature, scope and complexity of their operations, and risk profile.
The new Draft Guideline will complement, rather than replace, OSFI’s existing guidelines and tools on operational risk management and outsourcing, including Guidelines E‑21: Operational Risk Management B‑10: Outsourcing of Business Activities, Functions and Processes and the recently updated Cyber Security Self-Assessment and Technology and Cyber Security Incident Reporting Advisory. OSFI also reiterates its intention to review existing guidance on outsourcing and operational risk management in due course.
The Draft Guideline sets out OSFI’s expectations for management of information technology and cyber risks. It is organized into five domains: governance and risk management, technology operations, cyber security, third-party provider technology and cyber risk, and technology resilience. For each domain, OSFI specifies a desired outcome and sets out somewhat prescriptive principles. Each of the domains and the related outcome expectations and guiding principles are summarized in the table set out below.
OSFI’s objective in adopting this layered approach is to afford flexibility to FRFIs consistent with principles-based guidance while providing sufficient clarity on regulatory expectations. As noted below, OSFI is specifically seeking comments from the industry on whether the Draft Guideline strikes the right balance between prescriptive and principles-based approaches to regulatory guidance.
The stated outcomes and the more specific principles for each of the five domains are summarized in the table set out below.
OSFI’s expectations are intended to be technology-neutral (for example, OSFI is not advancing expectations specific to quantum computing) and aim to support FRFIs in developing greater resilience to technology and cyber risks. The Draft Guideline sets out specific definitions for technology risk and cyber risk.
Technology risk is defined as the risk arising from the inadequacy, disruption, failure, loss or malicious use of information technology systems, infrastructure, people or processes that enable and support business needs and can result in financial loss. OSFI clarifies that technology in the Draft Guideline refers to information technology.
Cyber risk or cyber security risk is defined as the risk of financial loss, operational disruption or reputational damage from the unauthorized access, malicious and non-malicious use, failure, disclosure, disruption, modification or destruction of a FRFI’s information technology systems and/or the data contained therein. OSFI also clarifies that the term cyber also refers to information security.
OSFI’s consultation, which is open until February 9, 2022, invites comments on the Draft Guideline with a particular focus on the following issues:
Clarity of OSFI’s expectations in the Draft Guideline
Application of the OSFI expectations, commensurate with FRFI’s size, nature, scope, and complexity of operations
Balance between principles-based approach and prescriptiveness in OSFI’s expectations
OSFI is expected to hold an information session in respect of the Draft Guideline within the next few weeks.
Draft Guideline B-13: Domains, Outcomes and Principles
DOMAIN 1: Governance and Risk Management
Formal accountability, leadership, organizational structure and framework used to support technology and cyber security risk management and oversight
|Expected Outcome: Technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks.
||Principle 1: Accountability and Organizational Structure
Senior Management should assign responsibility for managing technology and cyber risks to senior officers. It should also ensure an appropriate organizational structure and adequate resourcing are in place for managing technology and cyber risks across FRFI.
Principle 2: Technology and Cyber Strategy
FRFI should define, document, approve and implement a strategic technology and cyber plan(s). The plan(s) should align to FRFI’s business strategy and set goals and objectives that are measurable and evolve with changes in FRFI’s technology and cyber environment.
Principle 3: Technology and Cyber Risk Management Framework
FRFI should establish a technology and cyber risk management framework. The framework should set out a risk appetite for technology and cyber risks, and define what processes and requirements the FRFI utilizes to identify, assess, manage, monitor and report on technology and cyber risks
DOMAIN 2: Technology Operations
Management and oversight of risks related to the design, implementation and management of technology assets and services
|Expected Outcome: A technology environment that is stable, scalable and resilient. The environment is kept current and supported by robust and sustainable technology operating processes.
||Principle 4: Technology Architecture
FRFI should implement a technology architecture framework, with supporting processes to ensure solutions are built in line with business, technology and security requirements.
Principle 5: Technology Asset Management
FRFI should maintain an updated inventory of all technology assets supporting business processes or functions. FRFI’s asset management process should address classification of assets to facilitate risk identification and assessment, record configurations to ensure asset integrity, provide for the safe disposal of assets at the end of their life cycle, and monitor and manage technology currency.
Principle 6: Technology Project Management
Effective processes are in place to govern and manage technology projects, from initiation to closure, to ensure that project outcomes are aligned with business objectives and are achieved within FRFI’s risk appetite.
Principle 7: System Development Life Cycle (SDLC)
FRFI should implement an SDLC framework for the secure development, acquisition and maintenance of technology systems that perform as expected in support of business objectives.
Principle 8: Change and Release Management
FRFI should establish and implement a technology change and release management process and supporting documentation to ensure changes to technology assets are documented, assessed, tested, approved, implemented and verified in a controlled manner that ensures minimal disruption to the production environment.
Principle 9: Patch Management
FRFI should implement patch management processes to ensure controlled and timely application of patches across its technology environment to address vulnerabilities and flaws.
Principle 10: Incident and Problem Management
FRFI should effectively detect, log, manage, resolve, monitor and report on technology incidents and minimize their impacts.
Principle 11: Technology Service Measurement and Monitoring
FRFI should develop service and capacity standards, and processes to monitor operational management of technology, ensuring business needs are met.
DOMAIN 3: Cybersecurity
Management and oversight of cyber risk
|Expected Outcome: A secure technology posture that maintains the confidentiality, integrity and availability of FRFI’s technology assets.
|Principle 12: Identify
FRFI should maintain a range of practices, capabilities, processes and tools to identify and assess cyber-security for weaknesses that could be exploited by external and insider threat actors.
Principle 13: Defend
FRFI should design, implement and maintain multi-layer, preventive cyber security controls and measures to safeguard its technology assets.
Principle 14: Detect
FRFI designs, implements and maintains continuous security detection capabilities to enable monitoring, alerting, and enable forensic cyber security incident investigations.
Principle 15: Respond, Recover and Learn
FRFI should triage, respond to, contain, recover and learn from cyber security incidents impacting its technology assets, including incidents originating at third-party providers.
Domain 4: Third-Party Provider Technology and Cyber Risk
Sets expectations for FRFIs that engage with third-party providers to obtain technology and cyber services and/or other services that give rise to cyber and/or technology risk
|Expected Outcome: Reliable and secure technology and cyber operations from third-party providers
FRFI should ensure that effective controls and processes are implemented to identify, assess, manage, monitor, report and mitigate technology and cyber risks throughout the third-party provider’s life cycle, from due diligence to termination/exit.
DOMAIN 5: Technology Resilience
Capabilities to deliver technology services through operational disruption
|Expected Outcome: Technology services are delivered, as expected, through disruption
||Principles 17 and 18: Disaster Recovery
FRFI should establish and maintain an enterprise disaster recovery framework to support its ability to deliver technology services through disruption and operate within its risk tolerance.
FRFI should perform scenario testing on disaster recovery capabilities to confirm its technology services operate as expected through disruption.
For further information, please contact:
Vladimir Shatiryan 416-863-4154
Natalie LaMarche 416-863-2734
or any member of our Cybersecurity, Financial Services Regulatory, or Technology groups.
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.
For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2023 Blake, Cassels & Graydon LLP