On November 9, 2021, the Office of the Superintendent of Financial Institutions Canada (OSFI) published Draft Guideline B-13: Technology and Cyber Risk Management (“Draft Guideline”), which outlines OSFI’s expectations for federally regulated financial institutions (FRFIs) regarding technology and cyber risk management. The Draft Guideline would apply to all FRFIs, including banks and insurance companies, with the stated objective of helping FRFIs develop “greater resilience to technology and cyber risks”. Effective November 9, 2021, OSFI is also conducting a three-month public consultation on the Draft Guideline to engage stakeholders in its development and is inviting public comments until February 9, 2022.
Meaning of Technology Risk and Cyber Risk
The Draft Guideline uses materially similar definitions for “technology risks” and “cyber risks”:
- A technology risk is the “risk arising from the inadequacy, disruption, failure, loss or malicious use of information technology systems, infrastructure, people or processes that enable and support business needs and can result in financial loss”.
- A cyber risk is the “risk of financial loss, operational disruption or reputational damage from the unauthorized access, malicious and non-malicious use, failure, disclosure, disruption, modification or destruction of an institution’s information technology systems and/or the data contained therein”.
Although these definitions both capture risks to information technology systems and the potential for financial loss, a key distinguishing feature is that cyber risks also include risks to the data hosted in information technology systems as distinct from the technology itself, whereas technology risks also include risks to other infrastructure, people, and processes. Further, cyber risks encompass a broader range of potential harms, including operational disruption and reputational damage.
Summary of OSFI’s Expectations for Technology and Cyber Risk Management
The Draft Guideline is organized into five domains: Governance and Risk Management, Technology Operations, Cyber Security, Third-Party Provider Technology and Cyber Risk, and Technology Resilience. Each domain sets out OSFI’s expectations, the key components of sound technology and cyber risk management, the desired risk management outcome, and guiding principles, which are summarized in the table below. FRFIs will be evaluated on these expectations commensurate with their size, the nature, scope, complexity of their operations, and their risk profiles:
Governance and Risk Management
Expectations: Sets OSFI’s expectations on formal accountability, leadership, organizational structure and framework used to support risk management and oversight of technology and cyber security.
Desired Outcome: Technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks.
Principles (1 to 3):
Expectations: Sets OSFI’s expectations on management and oversight of risks related to the design, implementation and management of technology assets and services.
Desired Outcome: A technology environment that is stable, scalable and resilient. The environment is kept current and supported by robust and sustainable technology operating processes.
Principles (4 to 11):
Expectations: Sets OSFI’s expectations on management and oversight of cyber risk.
Desired Outcome: A secure technology posture that maintains the confidentiality, integrity and availability of the FRFI’s technology assets.
Principles (12 to 15):
Expectations: Expands on OSFI’s existing guidance for outsourcing and third-party risk, and sets expectations for FRFIs that engage with third-party providers to obtain technology and cyber services that give rise to cyber and/or technology risk.
Desired Outcome: Reliable and secure technology and cyber operations from third-party providers.
Expectations: Sets OSFI’s expectations on the capabilities to deliver technology services through operational disruption.
Desired Outcome: Technology services are delivered, as expected, through disruption.
The Draft Guideline acknowledges that technology and cyber security best practices are fluid and dynamic, and encourages FRFIs to also consult other OSFI guidance, tools and supervisory communications, along with other applicable guidance from relevant authorities, particularly the following:
- OSFI Guideline E-21: Operational Risk Management (summarized in our previous bulletin, "OSFI Releases Final Operational Risk Management Guideline");
- OSFI Guideline B-10: Outsourcing (note that OSFI is undertaking a review of Guideline B-10);
- OSFI Cyber Security Self-Assessment Tool (summarized in our previous bulletin, "Updated OSFI Advisory: Technology and Cyber Security Incident Reporting");
- OSFI Technology and Cyber Security Incident Reporting Advisory (summarized in our previous bulletin, "Updated OSFI Advisory: Technology and Cyber Security Incident Reporting");
- Alerts, advisories and other communications issued by the Canadian Centre for Cyber Security; and,
- Recognized frameworks and standards for technology operations and information security.
OSFI’s three-month public consultation is intended to reflect continued stakeholder engagement and transparency on the Draft Guideline, and to assist OSFI in striking a balance between its prudential objectives and facilitating the ability of financial institutions to compete. Public comments are particularly welcomed by OSFI on:
- the clarity of OSFI’s expectations as set out in the Draft Guideline;
- the application of these expectations, commensurate with the institution’s size, nature, scope, and complexity of operations;
- the balance between principles and prescriptiveness in OSFI’s expectations; and
- other suggestions that contribute to OSFI’s mandate to protect depositors and policyholders, and maintain public confidence in the Canadian financial system, while also allowing institutions to compete and take reasonable risks.
Comments can be submitted to Tech.Cyber@osfi-bsif.gc.ca by February 9, 2022. OSFI is also planning an information session for financial institutions within the coming weeks to provide an overview of the Draft Guideline and an opportunity for questions.
Takeaways for FRFIs and Third-Party Providers
The publication of the Draft Guideline is pursuant to OSFI’s Near-Term Plan of Prudential Policy published on May 6, 2021 (“Near-Term Plan”), which expressly committed OSFI to developing OSFI’s expectations on technology and cyber risk management in Q4 of 2021. As indicated in the Near-Term Plan and Draft Guideline, OSFI’s next objective is to update Guideline B-10: Outsourcing of Business Activities, Functions and Processes in Q1 of 2022, and to expand its scope of third-party risk management beyond outsourcing. Accordingly, FRFIs and their third-party providers can expect additional significant regulatory developments and should begin to strategically prepare for the potential impact on their operations.
FRFIs should review their technology and cyber risk management frameworks and third party service agreements to prepare for OSFI’s new focus on these issues. Although the Draft Guideline is subject to further development after the public consultation, FRFIs should expect that its key themes will generally be maintained, and that its final expectations will go beyond making additional investments in information technology and security. While these are of course critical to any technology and cyber risk management framework, FRFIs may also need to revisit their practices with respect to governance, risk accountability, asset management, and relationships with third-party providers. For their part, third-party providers that provide information technology and other services to FRFIs may also need to revisit their Canadian financial industry templates and related practices to account for these new regulatory developments.