OSFI Consultation on Draft Guideline B-13 – Technology and Cyber Risk Management

The Office of the Superintendent of Financial Institutions (“OSFI”) launched a three-month public consultation on Draft Guideline B‑13, Technology and Cyber Risk Management (the “Proposed Guideline”) on November 9, 2021, and is inviting comments on the Proposed Guideline until February 9, 2022.

The Proposed Guideline has been released as part of OSFI’s Strategic Plan 2019 – 2022 and puts into action some of the themes set out is OSFI’s discussion paper Developing Financial Sector Resilience in a Digital World, published in September 2020.

The Proposed Guideline sets out OSFI’s expectations for sound technology and cyber risk management across five domains and, once finalized, would apply to all federally regulated financial institutions (“FRFIs”). However, consistent with OSFI’s other guidance on outsourcing, risk management and incident reporting, OSFI recognizes that the application of its expectations should be commensurate with the size, nature, scope and complexity of operations and the risk profile of each FRFI.

The five domains of OSFI’s expectations, and their respective desired outcomes, are as follows:

Domains for Sound Management of Technology and Cyber Risk Outcomes
1. Governance and Risk Management Technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks
2. Technology Operations A technology environment that is stable, scalable and resilient. The environment be kept current and supported by robust and sustainable technology operating processes
3. Cyber Security A secure technology posture that maintains the confidentiality, integrity and availability of the FRFI’s technology assets
4. Third-Party Provider Technology and Cyber Risk Reliable and secure technology and cyber operations from third-party providers
5. Technology Resilience Technology services be delivered, as expected, through disruption

OSFI recommends that the Proposed Guideline be considered in conjunction with other OSFI guidance, as well as other guidance issued by other authorities applicable to the FRFI’s operating environment. OSFI references, in particular, the OSFI Guideline E-21 (Operational Risk Management), OSFI Guideline B-10 (Outsourcing), OSFI Cyber Security Self-Assessment Tool, OSFI Technology and Cyber Security Incident Reporting Advisory, alerts, advisories and other communications issued by the Canadian Centre for Cyber Security, and recognized frameworks and standards for technology operations and information security.

Each of the five domains contains related prescriptive principles which are reproduced below.  The Proposed Guideline contains further discussion related to each of these principles which expand on OSFI’s expectations for FRFIs in connection with meeting the requirements in each domain.

Domain 1 – Technology and Cyber Governance and Risk Management

Principle 1 – Accountability and Organizational Structure

Senior Management should assign responsibility for managing technology and cyber risks to senior officers. It should also ensure an appropriate organizational structure and adequate resourcing are in place for managing technology and cyber risks across the FRFI.

Principle 2 –Technology and Cyber Strategy

The FRFI should define, document, approve and implement a strategic technology and cyber plan(s). The plan(s) should align with the FRFI’s business strategy and set goals and objectives that are measurable and evolve with changes in the FRFI’s technology and cyber environment.

Principle 3 – Technology and Cyber Risk Management Framework

The FRFI should establish a technology and cyber risk management framework. The framework should set out a risk appetite for technology and cyber risks and define what processes and requirements the FRFI utilizes to identify, assess, manage, monitor and report on technology and cyber risks.

Domain 2 – Technology Operations

Principle 4 – Technology Architecture

The FRFI should implement a technology architecture framework with supporting processes to ensure solutions are built in line with business, technology and security requirements.

Principle 5 – Technology Asset Management

The FRFI should maintain an updated inventory of all technology assets supporting business processes or functions. The FRFI’s asset management process should address classification of assets to facilitate risk identification and assessment, record configurations to ensure asset integrity, provide for the safe disposal of assets at the end of their life cycle and monitor and manage technology currency.

Principle 6 – Technology Project Management

The FRFI should ensure that effective processes are in place to govern and manage technology projects, from initiation to closure, to ensure that project outcomes are aligned with business objectives and are achieved within the FRFI’s risk appetite.

Principle 7 – System Development Life Cycle

The FRFI should implement a System Development Life Cycle framework for the secure development, acquisition and maintenance of technology systems that perform as expected in support of business objectives.

Principle 8 – Change and Release Management

The FRFI should establish and implement a technology change and release management process and supporting documentation to ensure changes to technology assets are documented, assessed, tested, approved, implemented and verified in a controlled manner that ensures minimal disruption to the production environment.

Principle 9 – Patch Management

The FRFI should implement patch management processes to ensure controlled and timely application of patches across its technology environment to address vulnerabilities and flaws.

Principle 10 – Incident and Problem Management

The FRFI should effectively detect, log, manage, resolve, monitor and report on technology incidents and minimize their impacts.

Principle 11 – Technology Service Measurement and Monitoring

The FRFI should develop service and capacity standards and processes to monitor operational management of technology ensuring business needs are met.

Domain 3 – Cyber Security

Principle 12 – Identify

The FRFI should maintain a range of practices, capabilities, processes and tools to identify and assess cyber security for weaknesses that could be exploited by external and insider threat actors.

Principle 13 – Defend

The FRFI should design, implement and maintain multi-layer, preventive cyber security controls and measures to safeguard its technology assets.

Principle 14 – Detect

The FRFI should design, implement and maintain continuous security detection capabilities to enable monitoring, alerting, and enable forensic cyber security incident investigations.

Principle 15 – Respond, Recover and Learn

The FRFI should triage, respond to, contain, recover and learn from cyber security incidents impacting its technology assets, including incidents originating at third-party providers.

Domain 4 – Third-Party Provider Technology and Cyber Risk (TPP”)

Principle 16 – General

The FRFI should ensure that effective controls and processes are implemented to identify, assess, manage, monitor, report and mitigate technology and cyber risks throughout the TPP’s life cycle, from due diligence to termination/exit.

Domain 5 – Technology Resilience

Principle 17 – Disaster Recovery

The FRFI should establish and maintain an Enterprise Disaster Recovery Framework to support its ability to deliver technology services through disruption and operate within its risk tolerance.

Principle 18 – Testing of Disaster Recovery

The FRFI should perform scenario testing on disaster recovery capabilities to confirm its technology services operate as expected through disruption.

OSFI is inviting public comments on the Proposed Guideline which must be submitted by February 9, 2022.

OSFI is particularly interested in feedback on:

  • the clarity of OSFI’s expectations as set out in the Proposed Guideline;
  • the application of these expectations in relation with a financial institution’s size, nature, scope, and complexity of operations;
  • the balance between principles and prescriptiveness in OSFI’s expectations; and
  • any other suggestions that may contribute to OSFI’s mandate, while also allowing institutions to compete and take reasonable risks.

FSRA Approves Electronic Version of Insurance Cards

In Canada, each province and territory requires drivers with a registered motor vehicle to have automobile insurance. Insurers must provide proof of such insurance to policyholders, and policyholders must carry proof of automobile insurance with them in the motor vehicle at all times. In Ontario, the Compulsory Automobile Insurance Act (the “CAIA“) provides that insurers must issue an “insurance card” to a person with whom a contract of automobile insurance is made or whose contract of auto insurance is renewed.

In Ontario, the provincial government introduced its intention to approve the electronic version of insurance cards under the CAIA in its April 2019 budget, Protecting What Matters Most under the heading “Putting Drivers First Blueprint“, and effective as of September 5, 2019, Ontario became the fourth province to approve the use of electronic proof of insurance, after Nova Scotia, Newfoundland and Labrador and Alberta.

The Financial Services Regulatory Authority of Ontario (“FSRA“), in its September 5, 2019 Bulletin titled “Modernizing automobile insurance – approval of electronic insurance card” (the “FSRA Bulletin“), approved the use of electronic insurance cards in accordance with the provisions of the CAIA.

The FSRA Bulletin provides for a one-year transition period commencing on September 5, 2019 during which insurers must continue to issue the currently approved paper version of the insurance card. Once the transition period expires, consumers will have the option to choose to receive their insurance cards electronically, in paper format or both.

The use of electronic insurance cards in Ontario will be subject to certain conditions including, among other things, the following:

Approved Form

It must contain the same data fields, text and overall appearance as the currently approved paper version and must be pink in colour.

Consent is Required, Use is Optional

The use of electronic insurance cards is optional for both insurers and policyholders, and insurers must obtain the policyholder’s informed consent to the use of electronic insurance cards before issuance.

Accessibility, Retention and Transfer

The electronic insurance card must be accessible so as to be usable for subsequent reference and be capable of being retained by another person in compliance with the provisions of the Electronic Commerce Act (Ontario).

The electronic insurance card must also have the capability to be emailed or transferred by the policyholder to a third party, such as law enforcement or permitted users of the motor vehicle.

Privacy and Security

Electronic insurance cards must also comply with the consent requirements under the Personal Information Protection and Electronic Documents Act (“PIPEDA“) and have appropriate security safeguards in accordance with the provisions of PIPEDA. In the FSRA Bulletin, FSRA expressly states that an electronic insurance card “must not include features that monitor, track location, or collect, use or disclose personal information, without the policyholder’s knowledge and his or her informed consent”.

In particular, insurers are responsible for ensuring that the electronic version of the insurance card is: (i) in a downloadable form that can be stored in a secure manner on an electronic mobile device, (ii) not able to be edited or altered, and (iii) is able to be viewed using lock screen capability and the insurer must provide clear plain language instructions to policyholders of how to set the locked screen as a default feature.

Risk of Damage to Mobile Devices

Insurers must make it clear to policyholders that if they choose to receive an electronic insurance card, the policyholder assumes any risk or damage that may occur to the mobile device in the hands of a third party, such as law enforcement or Service Ontario.

Caution to Consumers

Whether a policyholder chooses the electronic version or the paper version of the insurance card, operators of motor vehicles are required under the CAIA to have an insurance card in the vehicle for inspection at all times. This requirement applies regardless of any technological problems that may affect a policyholder’s mobile device, such as a drained battery, lack of or diminished cellular service or limited or obstructed visibility of the insurance card due to a damaged screen or other malfunction. FSRA recommends that insurers remind policyholders of their obligations under the CAIA before issuing an electronic insurance card.

Watch for any further updates on FSRA’s website, which can be accessed here.

Insurance & Reinsurance in Canada – 2019

GTDT Insurance & Reinsurance 2019 CANADA

The 2019 publication of Getting the Deal Through, is now available, and includes our updated summary guide to the regulation of insurance and reinsurance in Canada. Click here for access to our contribution.

Reproduced with permission from Law Business Research Ltd. This article was first published in Getting the Deal Through: Insurance & Reinsurance 2019, (published in July 2019; contributing editors: William D Torchiana, Mark F Rosenberg and Marion Leydier – Sullivan & Cromwell LLP). For further information please visit www.gettingthedealthrough.com.

Insurance & Reinsurance in Canada – 2018

The 2018 publication of Getting the Deal Through, is now available, and includes our updated summary guide to the regulation of insurance and reinsurance in Canada. Click  for access to our contribution.

Reproduced with permission from Law Business Research Ltd. This article was first published in Getting the Deal Through: Insurance & Reinsurance 2018, (published in July 2018; contributing editors: William D Torchiana, Mark F Rosenberg and Marion Leydier, Sullivan & Cromwell LLP). For further information please visit www.gettingthedealthrough.com.

Establishing Property & Casualty Insurance Operations in Canada


WSLAW_Ebook_propertycasualtyinsurance_Full_v5_Oct24 

 Toronto, November, 2017 — Walker Sorensen is pleased to announce that its most recent publication “Establishing Property & Casualty Insurance Operations in Canada” is now available. Developed by our lawyers, this guide is an invaluable resource that provides practical insights, and outlines the legal matters relevant to, establishing a property & casualty insurance business in Canada.

Establishing Property & Casualty Insurance Operations in Canada includes an overview of the federal and provincial laws and regulations pertinent to investors interested in the Canadian insurance industry. However, the information in this document is intended to provide general guidance, and is not an exhaustive analysis of all provisions of Canadian law with which an applicant wishing to establish property & casualty insurance operations in Canada may be required to comply. For this reason, we recommend that you seek legal advice from one of our lawyers on the specific legal aspects of your proposed investment or activity.

Download the PDF .

Establishing Life Insurance Operations in Canada

E-BOOK

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Toronto, September, 2017 — Walker Sorensen is pleased to announce that its most recent publication “Establishing Life Insurance Operations in Canada” is now available. Developed by our lawyers, this guide is an invaluable resource that provides practical insights, and outlines the legal matters relevant to, establishing a life insurance business in Canada.

Establishing Life Insurance Operations in Canada includes an overview of the federal and provincial laws and regulations pertinent to investors interested in the Canadian insurance industry. However, the discussion in this document is intended to provide general guidance, and is not an exhaustive analysis of all provisions of Canadian law with which an applicant wishing to establish life insurance operations in Canada may be required to comply. For this reason, we recommend that you seek legal advice from one of our lawyers on the specific legal aspects of your proposed investment or activity.

Download the PDF.

Insurance & Reinsurance in Canada – 2017

and-Reinsurance-Canada-212×300.jpg” alt=”Getting the Deal Through 2017 – Insurance and Reinsurance (Canada)” width=”212″ height=”300″ />

The 2017 publication of Getting the Deal Through, is now available, and includes our updated summary guide to the regulation of insurance and reinsurance in Canada. Click here for access to the e-Book.

Reproduced with permission from Law Business Research Ltd. This article was first published in Getting the Deal Through: Insurance & Reinsurance 2017, (published in June 2017; contributing editors: William D Torchiana, Mark F Rosenberg and Marion Leydier, Sullivan & Cromwell LLP). For further information please visit www.gettingthedealthrough.com.

Insurance & Reinsurance in Canada – 2016

The 2016 publication of Getting the Deal Through, is now available, and includes our updated summary guide to the regulation of insurance and reinsurance in Canada. Click  for access to a pdf version of the Canadian chapter.

Reproduced with permission from Law Business Research Ltd. This article was first published in Getting the Deal Through: Insurance & Reinsurance 2016, (published in June 2016; contributing editors: William D Torchiana, Mark F Rosenberg and Marion Leydier, Sullivan & Cromwell LLP). For further information please visit www.gettingthedealthrough.com.

Insurance & Reinsurance in Canada

GTDT CoverOur summary guide to the regulation of insurance and reinsurance in Canada published in Getting the Deal Through, is available here.

Authored by John L. Walker, Sean G. Sorensen and Margaret Pak.

Reproduced with permission from Law Business Research Ltd.

This article was first published in Getting the Deal Through – Insurance & Reinsurance 2013, (published in July, 2013; contributing editor: E Paul Kanefsky, Edwards Wildman Palmer LLP).

For further information please visit www.GettingTheDealThrough.com .

OSFI’s New Corporate Governance Guideline

CG_Guideline cover

OSFI has released its new Corporate Governance Guideline (the “Guideline”), which sets out its corporate governance expectations for all federally regulated financial institutions (other than foreign branches).

Walker Sorensen LLP is pleased to announce its association with Independent Review Inc. and RiskOnBoard Inc. as THE INDEPENDENT REVIEW GROUP (“IRG”).   IRG has been established to assist financial institutions in complying with the requirements under the new Guideline.

Feel free to contact us to learn more about how IRG can help your institution comply with the Guideline’s requirement.  Or click here to learn more about IRG.

Contact Us