On July 13, the Office of the Superintendent of Financial Institutions (OSFI) released the final version of Guideline B-13, Technology and Cyber Risk Management (the “Guideline”).
First released in November 2021, the Guideline sets out OSFI expectations regarding the management of technology and cybersecurity risks by federally regulated financial institutions (FRFIs) (see our previous article here for more details).
While the Draft Guideline was divided into 5 domains that provide key components required for a robust technology and cyber risk management, notably (i) governance and risk management, (ii) technology operations, (iii) cyber security, (iv) third-party provider technology and (v) cyber risk and technology resilience; this final version is divided into three domains:
Governance and Risk Management which wets out OSFI’s expectations for the formal accountability, leadership, organizational structure and framework.
Technology Operations and Resilience – which sets out OSFI’s expectations for management and oversight of risks related to the design, implementation, management and recovery of technology assets and services.
Cyber Security – which sets out OSFI’s expectations for management and oversight of cyber risk.
The detailed provisions pertaining to third-party providers, including cloud service providers have been removed from the final version.
Guideline B-13 must be read in conjunction with other OSFI’s existing guidance and tools, including the revised Draft Guideline B-10: Third-Party Risk Management, the Technology and Cyber Security Incident Reporting Advisory and the Cyber Security Self-Assessment tool.
The Guideline will become effective on January 1, 2024.