Canada: OSFI Releases Draft Guideline B-13 On Technology And Cyber Risk Management

On November 9, 2021, Canada's Office of the Superintendent of Financial Institutions ("OSFI") launched a public consultation on the newly released draft version of Guideline B-13: Technology and Cyber Risk Management. The proposed Guideline is designed to complement existing Guidelines E-21 (Operational Risk Management) and B-10 (Outsourcing of Business Activities, Functions and Processes) as well as OSFI's Technology and Cyber Incident Reporting Policy, including its Cyber Security Self-Assessment tool.

Comments on the draft version of Guideline B-13 will be accepted until February 9, 2022. The draft version is based in part on feedback received in response to OSFI's 2020 discussion paper on technology and related risks. OSFI's responses to specific feedback items were included with the November 9 announcement.

Relatedly, OSFI is also expecting to shortly release for comment a draft of a significantly updated and expanded version of Guideline B-10, which will include guidance respecting cloud service providers, in addition to providers of other outsourced services, and OSFI is consulting with federally regulated financial institutions (FRFIs) on operational resilience more generally.

Overall Approach of Guideline B-13

Draft Guideline B-13 takes what OSFI calls a "layered approach". In other words, its high-level expectations apply to all FRFIs but the more granular recommendations focus on "providing sufficiently clear guidance to institutions that may benefit from it". This approach recognizes that larger FRFIs, such as the major banks, may already have systems in place that fully address OSFI's high-level expectations. Like most recent OSFI guidance, the Guideline is principles-based, but also includes more than 20 pages of extensive and detailed operational and governance expectations, which will be challenging for smaller institutions to comply with. However, it indicates, as customary, that FRFIs should implement the expectations in a manner commensurate with the FRFI's particular size; nature, scope and complexity of operations; and risk profile. OSFI's expectations are technology-neutral "anticipating the need for FRFIs to compete effectively and take full advantage of digital innovation".

The uppermost layer of the Guideline, which applies most generally, are five "outcomes" that are expected with respect to the five "domains" that the Guideline addresses. These are as follows:

A second "layer" in the document consists of 18 "principles" that are scattered throughout the document, summarizing key points made in the detailed text, which constitutes the third and final "layer".

Our summary below is divided into five sections, reflecting the five "domains" that are considered in the Guideline.

1. Technology and Cyber Governance and Risk Management

The first section of the Guideline deals with governance and risk management. OSFI expects the FRFI's organizational structure to be designed to manage technology and cyber risks, with clear roles and responsibilities and adequate training and resources. Senior officers with stature and visibility in the FRFI's organization should be appointed to lead these efforts. Specific titles are not mandated, but these individuals would typically hold positions such as Chief Technology Officer ("CTO"), Chief Information Officer ("CIO"), Chief Information Security Officer ("CISO") and/or Head of Information Technology.

In addition, according to the Guideline each FRFI should develop:

• a strategic technology and cyber plan that aligns with its overall business plan and which is supported by the tools and processes necessary for its implementation; and
• a technology and cyber risk management framework ("RMF") that aligns with the FRFI's overall risk management plan. The RMF should include policies and processes as well as reporting and accountability standards, as outlined in the Guideline.

2. Technology Operations

The Guideline includes extensive operational recommendations relating to technology architecture, systems development life cycles, asset and project management, service management/monitoring and management of incidents, changes and patches. As noted above, the specific recommendations are intended as guidance and do not necessarily require organizations to change existing practices that achieve the same outcomes.

Technology architecture and service monitoring

The FRFI's systems infrastructure should be carefully designed for availability, scalability, security and resilience in the context of the business functions and services that they support. The importance of designing systems that can evolve in response to changes in the business is also emphasized.

The Guideline also recommends that internal technology service performance - including service desk and operations/network management, among others - be measured and monitored through the use of performance indicators and service targets.

Systems development life cycle ("SDLC") framework

The FRFI's technology architecture should be integrated into a SDLC framework that is structured so that new systems are never adopted without appropriate security and risk assessments. Controls recommended by the Guideline include (among others):

• peer code reviews;
• security scanning of code;
• privileged access management and key management;
• data integrity/confidentiality protection;
• removal of unnecessary services and programs; and
• authentication, authorization, security logging and monitoring.

The Guideline also recommends an extensive change management plan for both planned and emergency situations. Such a plan should include safeguards designed to ensure that authority over the change process is distributed among multiple individuals and that all changes are traceable. Patches should also be applied in accordance with these change management processes.

Technology asset and project management

Asset management is one of the key operational functions identified in the Guideline, which includes extensive recommendations for technology inventories. Technology assets should be categorized in terms of their critical importance to the business and significant interdependencies among assets should be noted.

The Guideline emphasizes the importance of recording all asset categories, including:

• the FRFI's own assets, whether owned, leased or otherwise;
• any employee assets that are used for business purposes, e.g. under "bring your own device" ("BYOD") policies; and
• assets owned by third parties, contractors, consultants, etc., that are used to provide services to the FRFI.

All forms of technology should be continuously monitored to ensure upgrades and patches are installed while obsolete and unsupported technology is removed or replaced.

The Guideline also recommends effective project management processes to ensure that technology projects are achieved within the FRFI's risk tolerance.

Incident and problem management

FRFIs should implement technology incident management standards that will allow them to detect, manage, resolve and report on incidents while simultaneously minimizing their impacts. These standards would generally include:

• defining and documenting roles and responsibilities;
• establishing early warning indicators;
• classifying incidents according to priority;
• developing response procedures that mitigate incident impacts, including communications strategies;
• performing stress tests on incident response plans; and
• establishing and testing incident management strategies with third-party providers such as crisis communications agencies.

In addition, post-incident reviews should be incorporated into the process in order to improve future incident response.

3. Cyber Security

The longest section of Guideline B-13 deals with cyber security. This section is divided into four subsections that focus respectively on (i) identifying, (ii) defending, (iii) detecting and (iv) responding to/recovering from cyber security risks and breaches.

Identifying security risks and breaches

The FRFI should identify risks, including through intelligence-led threat assessment and testing that enables technology vulnerabilities to be ranked by severity, with additional attention to cumulative risks (in which an incident engages multiple vulnerabilities simultaneously). Risks can also be identified through participation in industry-wide information-sharing forums. The FRFI's cyber risk profile should be constantly monitored and reported on.

Related to this is the identification of security breaches, including through periodic scans of data environments to detect changes and deviations that may indicate unauthorized access. Enabling and encouraging employees, customers and third parties to report suspicious activities is another recommended step, which may require an enhancement of employee education in the data security area.

Defending the business against security risks

The Guideline emphasizes preventative measures, recommending that the FRFI adopt "secure-by-design" practices throughout its operations and implement a process to convert detection controls into prevention controls. This includes adopting strong cryptographic technologies with secured encryption keys as part of a general program to control and regularly reassess access permissions, as well as strictly enforcing security configuration baselines (with detection and remediation of unapproved deviations).

Cyber security controls should be layered and designed to contain any cyber attack that may occur. Recognizing that data protection is critical at all points in the data life cycle, the Guideline recommends that FRFIs should:

• implement risk-based data protection controls for data residing in all environments under its direct control (including development, testing, production and backup) as well as in those under third-party control (including Cloud Service Providers ("CSPs"));
• protect backup data from ransomware and other cyber attacks;
• establish multi-layered controls for encrypting data at rest, in transit and in use; and
• implement risk-based data loss prevention strategies, focusing on high-risk cases.

When security vulnerabilities are discovered, they should be remediated according to pre-established timelines for various risk levels (e.g., a "critical" vulnerability should be remediated within 48 hours). The Guideline recommends that progress of remediation processes be formally monitored against the defined timelines.

In general, the FRFI is expected to safeguard its networks by minimizing their "attack surface". External facing application services and network infrastructure should have additional layers of security and be regularly and rigorously tested. The Guideline also recommends additional security for hosts, endpoints and mobile devices. In addition, network infrastructure and other technology assets should be protected by physical access controls and processes.

Detecting security issues

According to the Guideline, the FRFI should implement and maintain continuous and centralized security event logging with retention periods sufficient to support future forensic investigations. In addition to written rules and policies, this should include:

• monitoring tools that are regularly updated to reflect the latest threat intelligence; and
• advanced behaviour-based detection of anomalies in user and entity behaviour.

To ensure an effective response to urgent cyber security alerts, the Guideline recommends that the FRFI pre-assign roles and responsibilities in such situations in order to be fully prepared to respond when they occur.

Responding, recovering and learning

The FRFI is expected to implement protocols that integrate the cybersecurity incident responses of its technology, security, crisis management and communications functions. These should include:

• a "cyber incident taxonomy" that standardizes the terminology used in responding to, managing and reporting on cyber security incidents;
• the establishment of a cyber incident response team; and
• where aspects of cyber security are outsourced, clearly defined escalation thresholds for notification of FRFI management.

At the recovery phase, the Guideline recommends forensic investigations to determine ongoing material risks from an incident and, for high-severity incidents, detailed assessments designed to quantify economic and other impacts as well as to identify lessons learned and possible remedial actions.

4. Third-Party Provider Technology and Cyber Risk

This section of the Guideline is intended to be read in conjunction with Guideline B-10 (Outsourcing of Business Activities, Functions and Processes). The Guideline recommends the implementation of technology and cyber risk agreements between the FRFI and its CSP and/or other Third-Party Providers ("TPPs"). In addition, it recommends that the FRFI establish mechanisms to ensure compliance by its TPPs with the technology and cyber standards that were developed in with the Guideline. These include close monitoring of a TPP's access to the FRFI's systems and ensuring that the FRFI has access to any of its information in the possession of the TPP, as well as ensuring that the FRFI's standards for data protection, change management and security incident logging are applied to FRFI assets on a TPP platform.

The Guideline recommends specific requirements to ensure that the FRFI's use of cloud computing is consistent with its stated risk profile. These include augmenting the FRFI's existing controls and standards with cloud-specific provisions relating to data protection, management of vulnerabilities, cryptographic key management and others. Furthermore, in designing and implementing a cloud-based solution, the FRFI should ensure that applications and data are easily portable between CSPs in order to ensure that the FRFI can switch to a superior cloud environment if necessary.

5. Technology Resilience

The FRFI is expected to develop, implement and maintain an Enterprise Disaster Recovery Framework ("EDRF") that, in conjunction with its business continuity plan, serves as a guide to recovery from a major technology disruption. The EDRF should establish, at a minimum:

• responsibility for the availability and recovery of technology services;
• a process for identifying and analyzing technology services and key dependencies required to operate within the FRFI's risk tolerance;
• procedures for the timely restoration of technology services to an acceptable level when a disruption occurs; and
• data backup strategy, policy and processes (backup frequency, storage, destruction and testing).

"Key dependencies" include information security requirements for stored data (e.g. encryption) and the location of technology assets (e.g. of backup sites, service providers, etc.).

Finally, OSFI will expect the FRFI to test its EDRF against "severe but plausible" scenarios incorporating:

• new and emerging risks or threats;
• material changes to business objectives or technologies;
• the FRFI's incident history and any known technology complexities or weaknesses.

Disaster recovery scenarios should test the FRFI's backup and recovery processes to confirm that it can meet its predefined requirements in the context of key dependencies and the FRFI's onsite and outsourced technologies.

Conclusion

As noted above, comments on Guideline B-13 will be accepted until February 9, 2022. They may be submitted to Tech.Cyber@osfi-bsif.gc.ca. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.