On November 9, 2021, the Office of the Superintendent of Financial Institutions Canada (OSFI) published Draft Guideline B-13: Technology and Cyber Risk Management ("Draft Guideline"), which outlines OSFI's expectations for federally regulated financial institutions (FRFIs) regarding technology and cyber risk management. The Draft Guideline would apply to all FRFIs, including banks and insurance companies, with the stated objective of helping FRFIs develop "greater resilience to technology and cyber risks". Effective November 9, 2021, OSFI is also conducting a three-month public consultation on the Draft Guideline to engage stakeholders in its development and is inviting public comments until February 9, 2022.

Meaning of Technology Risk and Cyber Risk

The Draft Guideline uses materially similar definitions for "technology risks" and "cyber risks":

  • A technology risk is the "risk arising from the inadequacy, disruption, failure, loss or malicious use of information technology systems, infrastructure, people or processes that enable and support business needs and can result in financial loss".
  • A cyber risk is the "risk of financial loss, operational disruption or reputational damage from the unauthorized access, malicious and non-malicious use, failure, disclosure, disruption, modification or destruction of an institution's information technology systems and/or the data contained therein".

Although these definitions both capture risks to information technology systems and the potential for financial loss, a key distinguishing feature is that cyber risks also include risks to the data hosted in information technology systems as distinct from the technology itself, whereas technology risks also include risks to other infrastructure, people, and processes. Further, cyber risks encompass a broader range of potential harms, including operational disruption and reputational damage.

Summary of OSFI's Expectations for Technology and Cyber Risk Management

The Draft Guideline is organized into five domains: Governance and Risk Management, Technology Operations, Cyber Security, Third-Party Provider Technology and Cyber Risk, and Technology Resilience. Each domain sets out OSFI's expectations, the key components of sound technology and cyber risk management, the desired risk management outcome, and guiding principles, which are summarized in the table below. FRFIs will be evaluated on these expectations commensurate with their size, the nature, scope, complexity of their operations, and their risk profiles:

Domain 1

Governance and Risk Management

Expectations: Sets OSFI's expectations on formal accountability, leadership, organizational structure and framework used to support risk management and oversight of technology and cyber security.

Desired Outcome: Technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks.

Principles (1 to 3):

  1. Accountability and Organization Structure: Senior Management should assign responsibility for managing technology and cyber risks to senior officers, and also ensure an appropriate organizational structure and adequate resourcing are in place for managing technology and cyber risks across the FRFI.
  2. Technology and Cyber Strategy: The FRFI should define, document, approve and implement a strategic technology and cyber plan(s) that aligns to the FRFI's business strategy while setting goals and objectives that are measurable and evolve with changes in the FRFI's technology and cyber environment.
  3. Technology and Cyber Risk Management Framework: The FRFI should establish a technology and cyber risk management framework (RMF). The framework should set out a risk appetite for technology and cyber risks, and define what processes and requirements the FRFI utilizes to identify, assess, manage, monitor and report on technology and cyber risks.

Domain 2

Technology Operations

Expectations: Sets OSFI's expectations on management and oversight of risks related to the design, implementation and management of technology assets and services.

Desired Outcome: A technology environment that is stable, scalable and resilient. The environment is kept current and supported by robust and sustainable technology operating processes.

Principles (4 to 11):

  1. Technology Architecture: The FRFI should implement a technology architecture framework, with supporting processes to ensure solutions are built in line with business, technology and security requirements.
  2. Technology Asset Management: The FRFI should maintain an updated inventory of all technology assets supporting business processes or functions. The FRFI's asset management process should address classification of assets to facilitate risk identification and assessment, record configurations to ensure asset integrity, provide for the safe disposal of assets at the end of their life cycle, and monitor and manage technology currency.
  3. Technology Project Management: Effective processes are in place to govern and manage technology projects, from initiation to closure, to ensure that project outcomes are aligned with business objectives and are achieved within the FRFI's risk appetite.
  4. System Development Life Cycle: The FRFI should implement a System Development Life Cycle (SDLC) framework for the secure development, acquisition and maintenance of technology systems that perform as expected in support of business objectives.
  5. Change and Release Management: The FRFI should establish and implement a technology change and release management process and supporting documentation to ensure changes to technology assets are documented, assessed, tested, approved, implemented and verified in a controlled manner that ensures minimal disruption to the production environment.
  6. Patch Management: The FRFI should implement patch management processes to ensure controlled and timely application of patches across its technology environment to address vulnerabilities and flaws.
  7. Incident and Problem Management: The FRFI should effectively detect, log, manage, resolve, monitor and report on technology incidents and minimize their impacts.
  8. Technology Service Measurement and Monitoring: The FRFI should develop service and capacity standards, and processes to monitor operational management of technology, ensuring business needs are met.

Domain 3

Cyber Security

Expectations: Sets OSFI's expectations on management and oversight of cyber risk.

Desired Outcome: A secure technology posture that maintains the confidentiality, integrity and availability of the FRFI's technology assets.

Principles (12 to 15):

  1. Identify: The FRFI should maintain a range of practices, capabilities, processes and tools to identify and assess cyber security for weaknesses that could be exploited by external and insider threat actors.
  2. Defend: The FRFI should design, implement and maintain multi-layer, preventive cyber security controls and measures to safeguard its technology assets.
  3. Detect: The FRFI designs, implements and maintains continuous security detection capabilities to enable monitoring, alerting, and enable forensic cyber security incident investigations.
  4. Respond, Recover and Learn: The FRFI should triage, respond to, contain, recover and learn from cyber security incidents impacting its technology assets, including incidents originating at third-party providers.

Domain 4

Third-Party Provider Technology and Cyber Risk

Expectations: Expands on OSFI's existing guidance for outsourcing and third-party risk, and sets expectations for FRFIs that engage with third-party providers to obtain technology and cyber services that give rise to cyber and/or technology risk.

Desired Outcome: Reliable and secure technology and cyber operations from third-party providers.

Principles (16):

  1. General: The FRFI should ensure that effective controls and processes are implemented to identify, assess, manage, monitor, report and mitigate technology and cyber risks throughout the TPP's life cycle, from due diligence to termination/exit.

Domain 5

Technology Resilience

Expectations: Sets OSFI's expectations on the capabilities to deliver technology services through operational disruption.

Desired Outcome: Technology services are delivered, as expected, through disruption.

Principles (17):

  1. Disaster Recovery: The FRFI should establish and maintain an Enterprise Disaster Recovery Framework (EDRF) to support its ability to deliver technology services through disruption and operate within its risk tolerance.


The Draft Guideline acknowledges that technology and cyber security best practices are fluid and dynamic, and encourages FRFIs to also consult other OSFI guidance, tools and supervisory communications, along with other applicable guidance from relevant authorities, particularly the following:

Public Consultation

OSFI's three-month public consultation is intended to reflect continued stakeholder engagement and transparency on the Draft Guideline, and to assist OSFI in striking a balance between its prudential objectives and facilitating the ability of financial institutions to compete. Public comments are particularly welcomed by OSFI on:

  • the clarity of OSFI's expectations as set out in the Draft Guideline;
  • the application of these expectations, commensurate with the institution's size, nature, scope, and complexity of operations;
  • the balance between principles and prescriptiveness in OSFI's expectations; and
  • other suggestions that contribute to OSFI's mandate to protect depositors and policyholders, and maintain public confidence in the Canadian financial system, while also allowing institutions to compete and take reasonable risks.

Comments can be submitted to Tech.Cyber@osfi-bsif.gc.ca by February 9, 2022. OSFI is also planning an information session for financial institutions within the coming weeks to provide an overview of the Draft Guideline and an opportunity for questions.

Takeaways for FRFIs and Third-Party Providers

The publication of the Draft Guideline is pursuant to OSFI's Near-Term Plan of Prudential Policy published on May 6, 2021 ("Near-Term Plan"), which expressly committed OSFI to developing OSFI's expectations on technology and cyber risk management in Q4 of 2021. As indicated in the Near-Term Plan and Draft Guideline, OSFI's next objective is to update Guideline B-10: Outsourcing of Business Activities, Functions and Processes in Q1 of 2022, and to expand its scope of third-party risk management beyond outsourcing. Accordingly, FRFIs and their third-party providers can expect additional significant regulatory developments and should begin to strategically prepare for the potential impact on their operations.

FRFIs should review their technology and cyber risk management frameworks and third party service agreements to prepare for OSFI's new focus on these issues. Although the Draft Guideline is subject to further development after the public consultation, FRFIs should expect that its key themes will generally be maintained, and that its final expectations will go beyond making additional investments in information technology and security. While these are of course critical to any technology and cyber risk management framework, FRFIs may also need to revisit their practices with respect to governance, risk accountability, asset management, and relationships with third-party providers. For their part, third-party providers that provide information technology and other services to FRFIs may also need to revisit their Canadian financial industry templates and related practices to account for these new regulatory developments.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.