On November 9, 2021, the Office of the Superintendent of Financial Institutions Canada (OSFI) announced the launch of a three-month consultation process on proposed Draft Guideline B-13: Technology and Cyber Risk Management (Guideline B-13). OSFI stated that the development of Guideline B-13 responds to feedback received from its discussion paper on technology and related risks entitled Developing financial sector resilience in a digital world published in the fall of 2020.

Guideline B-13 establishes OSFI's expectations related to technology and cyber risk management, which would apply to all federally regulated financial institutions (FRFIs). OSFI notes that Guideline B-13's aim is to support FRFIs in developing greater resilience to technology and cyber risks.

Guideline B-13 sets out OSFI's key components of sound technology and risk management and organizes them into the following five different domains which are explained in greater detail below:

  1. Technology governance and risk management
  2. Technology operations
  3. Cyber security
  4. Third-party provider technology and cyber risk
  5. Technology resilience

1. Technology governance and risk management

Guideline B-13 provides that the responsibility for managing technology and cyber risks should be assigned to senior officers of the FRFI (including the Chief Technology Officer and/or Chief Information Officer roles, where applicable). In addition, FRFIs should ensure that an appropriate organizational structure and adequate resources are in place for managing technology and cyber risks across their organization.

FRFIs should also define, document, approve and implement strategic technology and cyber plans, as applicable. These plans should align with the FRFIs' business strategy and contain goals and objectives that are measurable and that evolve with changes in the FRFIs' internal and external technology and cyber environment.

Lastly, FRFIs should establish a technology and cyber risk management framework which sets out the organization's appetite for technology and cyber risks, and defines what processes and requirements FRFIs utilize to identify, assess, manage, monitor and report on technology and cyber risks.

This is similar to the approach that FRFIs are expected to take with respect to the management of operational risk as outlined in OSFI Guideline E-21: Operational Risk Management (Guideline E-21).

2. Technology operations

Guideline B-13 also provides that FRFIs should implement a technology architecture framework, with supporting processes to ensure technologies are built in line with FRFIs' business, technology and security requirements. Additionally, FRFIs should maintain an updated inventory of all technology assets supporting business processes or functions. This includes implementing processes to categorize FRFIs' technology assets based on their overall importance to their business. This should identify technology assets that are critical to the functioning of FRFIs and therefore require enhanced cyber security protection.

OSFI also recommends that FRFIs implement a System Development Life Cycle (SDLC) framework for the secure development, acquisition and maintenance of technology systems that support the business. At a high level, the SDLC should describe control activities and processes in each phase of the life cycle of FRFIs' technology systems.

Ultimately, FRFIs should have technology environments that are stable, scalable, and resilient.

3. Cyber security

Guideline B-13 provides that FRFIs should proactively identify, defend, detect, respond and recover from external and internal cyber security threats, events and incidents to maintain the confidentiality, integrity and availability of their technology assets. To achieve this, OSFI would expect FRFIs to undertake certain actions, including:

  • Maintaining a range of practices, capabilities, processes and tools to identify and assess cyber security for weaknesses that could be exploited by external and internal threat actors;
  • Designing, implementing and maintaining multi-layer, preventive cyber security controls and measures to safeguard its technology assets. This includes FRFIs having the capability to undertake forensic cyber security incident investigations for significant cyber threats or incidents; and
  • Responding to, containing, recovering and learning from cyber security incidents, including incidents originating at third-party providers (TPPs).

4. Third-Party provider technology and cyber risk

FRFIs retain ultimate accountability for their outsourced activities. FRFIs are already expected to enter into formal written agreements with TPPs pursuant to OSFI Guideline B-10: Outsourcing of Business Activities, Functions and Processes (Guideline B-10) which clarify each party's responsibilities in managing technology and cyber risks. Guideline B-13 highlights the importance of limiting ambiguity regarding responsibilities for technology and cyber controls between FRFIs and TPPs.

In particular, FRFIs should establish mechanisms to ensure that TPPs comply with the FRFIs' technology and cyber security standards. FRFIs should ensure such standards are developed in accordance with Guideline B-13 including:

  • Controlling FRFI and TPP access and associated privileges to each other's systems and data;
  • Applying the FRFIs' standards for data classification, protection and secure destruction to TPPs that store, use, modify or transmit data on behalf of FRFIs; and
  • Developing cloud computing specific requirements to ensure proper oversight and monitoring of compliance with FRFIs' technology and cyber risk management practices.

5. Technology resilience

Guideline E-13 provides that FRFIs should develop, implement and maintain an Enterprise Disaster Recovery Framework (EDRF) that sets out the FRFI's approach to recovering its technology capabilities during a disruption. The EDRF should be aligned with the FRFI's business continuity management program. At a minimum, the EDRF should establish:

  • Accountability and responsibility for the availability and recovery of technology services, including recovery actions;
  • A process for identifying and analyzing technology services and key dependencies required to operate within the FRFI's risk tolerance;
  • Procedures and capabilities to recover technology services to an acceptable level, within an acceptable timeframe, during disruption;
  • Strategies, policies, and processes for system and data backup that address, among other things: data retention periods; back-up processes and frequency; data storage and destruction processes; and periodic testing.

OSFI also expects FRFIs to regularly validate and report on disaster recovery strategies and plans against severe, but plausible, disruptions to the FRFI's technology systems. Scenarios should be forward-looking and incorporate, where appropriate: (i) new and emerging risks or threats; (ii) material changes to business objectives or technology; and (iii) previous incident history and FRFIs' known technology complexity and weaknesses. OSFI has highlighted in prior guidance that scenario analysis can be an important and useful operational risk management tool.

Conclusion

Similar to existing guidance issued by OSFI, Guideline B-13 takes a principles-based approach and would permit FRFIs to consider the organization's size, nature, scope and complexity of operations, as well as its overall risk profile in determining how to implement the expectations set out in Guideline B-13. In addition, the expectations in Guideline B-13 would co-exist and align with existing regulatory requirements, including those set out in Guideline B-10 –which we understand will be updated by OSFI in the next year– and Guideline E-21.

OSFI has indicated that it will schedule an information session for FRFIs within the coming weeks to provide an overview of Guideline B-13 and an opportunity for stakeholders to raise questions.

Industry stakeholders looking to provide comments as part of this consultation process may do so by submitting them to Tech.Cyber@osfi-bsif.gc.ca by February 9, 2022.

We encourage FRFIs to attend the information session and to review and assess their risk management frameworks and systems. FRFIs should seek legal advice where necessary to ensure that they are continuing to comply with evolving regulatory, privacy, security and record-keeping requirements.

About Dentons

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.