The Office of the Superintendent of Financial Institutions (“OSFI”) launched a three-month public consultation on Draft Guideline B‑13, Technology and Cyber Risk Management (the “Proposed Guideline”) on November 9, 2021, and is inviting comments on the Proposed Guideline until February 9, 2022.
The Proposed Guideline has been released as part of OSFI’s Strategic Plan 2019 – 2022 and puts into action some of the themes set out is OSFI’s discussion paper Developing Financial Sector Resilience in a Digital World, published in September 2020.
The Proposed Guideline sets out OSFI’s expectations for sound technology and cyber risk management across five domains and, once finalized, would apply to all federally regulated financial institutions (“FRFIs”). However, consistent with OSFI’s other guidance on outsourcing, risk management and incident reporting, OSFI recognizes that the application of its expectations should be commensurate with the size, nature, scope and complexity of operations and the risk profile of each FRFI.
The five domains of OSFI’s expectations, and their respective desired outcomes, are as follows:
Domains for Sound Management of Technology and Cyber Risk | Outcomes | |
1. | Governance and Risk Management | Technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks |
2. | Technology Operations | A technology environment that is stable, scalable and resilient. The environment be kept current and supported by robust and sustainable technology operating processes |
3. | Cyber Security | A secure technology posture that maintains the confidentiality, integrity and availability of the FRFI’s technology assets |
4. | Third-Party Provider Technology and Cyber Risk | Reliable and secure technology and cyber operations from third-party providers |
5. | Technology Resilience | Technology services be delivered, as expected, through disruption |
OSFI recommends that the Proposed Guideline be considered in conjunction with other OSFI guidance, as well as other guidance issued by other authorities applicable to the FRFI’s operating environment. OSFI references, in particular, the OSFI Guideline E-21 (Operational Risk Management), OSFI Guideline B-10 (Outsourcing), OSFI Cyber Security Self-Assessment Tool, OSFI Technology and Cyber Security Incident Reporting Advisory, alerts, advisories and other communications issued by the Canadian Centre for Cyber Security, and recognized frameworks and standards for technology operations and information security.
Each of the five domains contains related prescriptive principles which are reproduced below. The Proposed Guideline contains further discussion related to each of these principles which expand on OSFI’s expectations for FRFIs in connection with meeting the requirements in each domain.
Domain 1 – Technology and Cyber Governance and Risk Management
Principle 1 – Accountability and Organizational Structure
Senior Management should assign responsibility for managing technology and cyber risks to senior officers. It should also ensure an appropriate organizational structure and adequate resourcing are in place for managing technology and cyber risks across the FRFI.
Principle 2 –Technology and Cyber Strategy
The FRFI should define, document, approve and implement a strategic technology and cyber plan(s). The plan(s) should align with the FRFI’s business strategy and set goals and objectives that are measurable and evolve with changes in the FRFI’s technology and cyber environment.
Principle 3 – Technology and Cyber Risk Management Framework
The FRFI should establish a technology and cyber risk management framework. The framework should set out a risk appetite for technology and cyber risks and define what processes and requirements the FRFI utilizes to identify, assess, manage, monitor and report on technology and cyber risks.
Domain 2 – Technology Operations
Principle 4 – Technology Architecture
The FRFI should implement a technology architecture framework with supporting processes to ensure solutions are built in line with business, technology and security requirements.
Principle 5 – Technology Asset Management
The FRFI should maintain an updated inventory of all technology assets supporting business processes or functions. The FRFI’s asset management process should address classification of assets to facilitate risk identification and assessment, record configurations to ensure asset integrity, provide for the safe disposal of assets at the end of their life cycle and monitor and manage technology currency.
Principle 6 – Technology Project Management
The FRFI should ensure that effective processes are in place to govern and manage technology projects, from initiation to closure, to ensure that project outcomes are aligned with business objectives and are achieved within the FRFI’s risk appetite.
Principle 7 – System Development Life Cycle
The FRFI should implement a System Development Life Cycle framework for the secure development, acquisition and maintenance of technology systems that perform as expected in support of business objectives.
Principle 8 – Change and Release Management
The FRFI should establish and implement a technology change and release management process and supporting documentation to ensure changes to technology assets are documented, assessed, tested, approved, implemented and verified in a controlled manner that ensures minimal disruption to the production environment.
Principle 9 – Patch Management
The FRFI should implement patch management processes to ensure controlled and timely application of patches across its technology environment to address vulnerabilities and flaws.
Principle 10 – Incident and Problem Management
The FRFI should effectively detect, log, manage, resolve, monitor and report on technology incidents and minimize their impacts.
Principle 11 – Technology Service Measurement and Monitoring
The FRFI should develop service and capacity standards and processes to monitor operational management of technology ensuring business needs are met.
Domain 3 – Cyber Security
Principle 12 – Identify
The FRFI should maintain a range of practices, capabilities, processes and tools to identify and assess cyber security for weaknesses that could be exploited by external and insider threat actors.
Principle 13 – Defend
The FRFI should design, implement and maintain multi-layer, preventive cyber security controls and measures to safeguard its technology assets.
Principle 14 – Detect
The FRFI should design, implement and maintain continuous security detection capabilities to enable monitoring, alerting, and enable forensic cyber security incident investigations.
Principle 15 – Respond, Recover and Learn
The FRFI should triage, respond to, contain, recover and learn from cyber security incidents impacting its technology assets, including incidents originating at third-party providers.
Domain 4 – Third-Party Provider Technology and Cyber Risk (“TPP”)
Principle 16 – General
The FRFI should ensure that effective controls and processes are implemented to identify, assess, manage, monitor, report and mitigate technology and cyber risks throughout the TPP’s life cycle, from due diligence to termination/exit.
Domain 5 – Technology Resilience
Principle 17 – Disaster Recovery
The FRFI should establish and maintain an Enterprise Disaster Recovery Framework to support its ability to deliver technology services through disruption and operate within its risk tolerance.
Principle 18 – Testing of Disaster Recovery
The FRFI should perform scenario testing on disaster recovery capabilities to confirm its technology services operate as expected through disruption.
OSFI is inviting public comments on the Proposed Guideline which must be submitted by February 9, 2022.
OSFI is particularly interested in feedback on:
- the clarity of OSFI’s expectations as set out in the Proposed Guideline;
- the application of these expectations in relation with a financial institution’s size, nature, scope, and complexity of operations;
- the balance between principles and prescriptiveness in OSFI’s expectations; and
- any other suggestions that may contribute to OSFI’s mandate, while also allowing institutions to compete and take reasonable risks.