OSFI releases new guideline for technology and cyber risk, balancing innovation with risk management Français

OTTAWA, ON, July 13, 2022 /CNW/ - Today, the Office of the Superintendent of Financial Institutions (OSFI) released its final Guideline B-13. This guideline sets out OSFI's expectations for how federally regulated financial institutions (FRFIs) should manage technology and cyber risks such as data breaches, technology outages and more.

The widespread use of technology and the growing rate of cyber incidents has created an urgent need for enhanced regulatory guidance to FRFIs on technology and cyber risk management. OSFI's final Guideline B-13 provides that guidance, while allowing FRFIs to compete effectively and take full advantage of digital innovation.

The Guideline is organized around three "domains," each of which sets out key components for sound risk management: Governance and Risk Management, Technology Operations and Resilience, and Cyber Security. In turn, each of these domains includes a desired outcome aimed at helping FRFIs understand OSFI's expectations, focusing on the "why" and "to what end" of technology and cyber risk management.

The final Guideline B-13 will be effective as of January 1, 2024, to provide financial institutions sufficient time to self-assess and ensure compliance with this new guideline.

"With today's release of final Guideline B-13, OSFI has crafted a flexible, principles-based approach towards managing technology and cyber risk that takes into consideration the size, nature, scope and complexity of financial institutions."

     -     Jamey Hubbs, Vice-Superintendent

• Final Guideline B-13 is the product of extensive consultation with industry, starting with the September 2020 publication of a discussion paper and a consultation period from September to December 2020. Following the release of OSFI's draft Guideline B-13 in November 2021, OSFI further consulted on its proposed guidance regarding technology and cyber risk from November 2021 to February 2022. The final Guideline B-13 published today is the result of that process.
• Compared with the draft consultation version, the final Guideline B-13 is more streamlined and less prescriptive with clearer definitions and expectations.
• Guideline B-13 is complemented by OSFI's existing guidance and tools, including the Corporate Governance Guideline, Guideline E‑21 (Operational Risk Management),  the revised draft Guideline B‑10 (Third-Party Risk Management), the Technology and Cyber Security Incident Reporting Advisory and the Cyber Security Self-Assessment tool.

• September 2020 consultation paper, "Developing financial sector resilience in a digital world"
• November 2021 consultation on draft Guideline B-13
• June 2021 response to consultation feedback on draft Guideline B-13

The Office of the Superintendent of Financial Institutions (OSFI) is an independent agency of the Government of Canada, established in 1987, to protect depositors, policyholders, financial institution creditors and pension plan members, while allowing financial institutions to compete and take reasonable risks. OSFI supervises more than 400 federally regulated financial institutions and 1,200 pension plans to determine whether they are in sound financial condition and meeting their prudential requirements.

SOURCE Office of the Superintendent of Financial Institutions

Media Contact: OSFI - Public Affairs, [email protected], 343-550-9373