Consultation on OSFI Guidelines for Technology and Cyber Risk Management

Draft guideline sets expectations for federally regulated financial institutions to manage technology-based risks

On November 9, 2021, the Canadian Office of the Superintendent of Financial Institutions (OSFI) launched a consultation on their draft Tech and Cyber Risk Management Guideline (B-13). This new draft guideline follows a previous consultation that sought feedback on the OSFI discussion paper Delivering financial sector resilience in a digital world.

The guidelines express OSFI’s expectations for federally regulated financial institutions across five dimensions:

1. Governance and Risk Management – Technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks. 

2. Technology Operations – A technology environment that is stable, scalable and resilient. The environment is kept current and supported by robust and sustainable operating processes. 

3. Cyber Security – A secure technology posture that maintains the confidentiality, integrity and availability of the federally regulated financial institution’s technology assets. 

4. Third-Party Provider Technology and Cyber Risk – Reliable and secure technology and cyber operations from third-party providers.

5. Technology Resilience – Technology services are delivered, as expected, through disruption. 

The consultation is open for comment until February.