OSFI releases new guideline for technology and cyber risk, balancing innovation with risk management
News release - Ottawa -
Today, the Office of the Superintendent of Financial Institutions (OSFI) released its final Guideline B-13. This guideline sets out OSFI’s expectations for how federally regulated financial institutions (FRFIs) should manage technology and cyber risks such as data breaches, technology outages and more.
The widespread use of technology and the growing rate of cyber incidents has created an urgent need for enhanced regulatory guidance to FRFIs on technology and cyber risk management. OSFI’s final Guideline B-13 provides that guidance, while allowing FRFIs to compete effectively and take full advantage of digital innovation.
The Guideline is organized around three “domains,” each of which sets out key components for sound risk management: Governance and Risk Management, Technology Operations and Resilience, and Cyber Security. In turn, each of these domains includes a desired outcome aimed at helping FRFIs understand OSFI’s expectations, focusing on the “why” and “to what end” of technology and cyber risk management.
The final Guideline B-13 will be effective as of January 1, 2024, to provide financial institutions sufficient time to self-assess and ensure compliance with this new guideline.
“With today’s release of final Guideline B-13, OSFI has crafted a flexible, principles-based approach towards managing technology and cyber risk that takes into consideration the size, nature, scope and complexity of financial institutions.”
- Jamey Hubbs, Vice-Superintendent
Quick facts
- Final Guideline B-13 is the product of extensive consultation with industry, starting with the September 2020 publication of a discussion paper and a consultation period from September to December 2020. Following the release of OSFI’s draft Guideline B-13 in November 2021, OSFI further consulted on its proposed guidance regarding technology and cyber risk from November 2021 to February 2022. The final Guideline B-13 published today is the result of that process.
- Compared with the draft consultation version, the final Guideline B-13 is more streamlined and less prescriptive with clearer definitions and expectations.
- Guideline B-13 is complemented by OSFI’s existing guidance and tools, including the Corporate Governance Guideline, Guideline E‑21 (Operational Risk Management), the revised draft Guideline B‑10 (Third-Party Risk Management), the Technology and Cyber Security Incident Reporting Advisory and the Cyber Security Self-Assessment tool.