• Deborah

On November 9, the Office of the Superintendent of Financial Institutions (OSFI) launched a three-month public consultation on its Draft Guideline B‑13: Technology and Cyber Risk Management (the’ Draft Guideline’).


The Draft Guideline is intended to help federally regulated financial institutions (FRFIs) developed greater resilience to technology and cyber risks.


Divided into 5 domains, the Draft Guideline sets out the key components required for a robust technology and cyber risk management, notably:

1. Governance and Risk Management – To ensure that technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks, OSFI expects FRFIs to follow some principles.

  • Accountability and Organizational Structure: Assign adequate responsibility and resources for managing technology and cyber risks to senior officers.

  • Technology & Cyber Strategy: Define, document, approve and implement a strategy technology and cyber plan(s).

  • Technology & Risk Management Framework: Establish a technology and cyber risk management framework (RMF), that should, amongst others, set out a risk appetite for technology and cyber risks.

2. Technology Operations – For a technology environment that is stable, scalable and resilient and an environment that is kept current and supported by robust and sustainable technology operating processes, OSFI expects FRFIs to meet principles relating to:

  • Technology Architecture: Through the implementation of a technology architecture framework in accordance with business, technology and security requirements.

  • Technology Asset Management: By maintaining an updated inventory of all technology assets supporting business processes or functions.

  • Technology Project Management: Through the implementation of effective processes to govern and manage technology projects, from initiation to closure.

  • System Development Life Cycle: Through the implementation of a SDLC framework for the secure development, acquisition and maintenance of technology systems that perform as expected in support of business objectives.

  • Change and Release Management: By establishing and implementing a technology change and release management process and supporting documentation to ensure changes to technology assets are documented, assessed, tested, approved, implemented and verified in a controlled manner that ensures minimal disruption to the production environment.

  • Patch Management: These processes would help ensure the control and timely application of patches across the technology environment to address vulnerabilities and flaws.

  • Incident and Problem Management: To effectively detect, log, manage, resolve, monitor and report on technology incidents and minimize their impacts.

  • Technology Service Measurement and Monitoring: Through the development of service and capacity standards, and processes to monitor operational management of technology, ensuring business needs are met.

3. Cyber Security – For a secure technology posture that maintains the confidentiality, integrity and availability of the FRFI’s technology assets, FRFIs should meet the following principles:

  • Identify: By maintaining a range of practices, capabilities, processes and tools to identify and assess cyber security for weaknesses that could be exploited by external and insider threat actors.

  • Defend: The FRFI should design, implement and maintain multi-layer, preventive cyber security controls and measures to safeguard its technology assets. This includes data protection and loss prevention security controls.

  • Detect: By implementing and maintaining continuous security detection capabilities to enable monitoring, alerting, and enable forensic cyber security incident investigations.

  • Respond, Recover and Learn: from cyber security incidents impacting its technology assets, including incidents originating at third-party providers.

4. Third-Party Provider Technology and Cyber Risk – For a reliable and secure technology and cyber operations from third-party providers, FRFIs should:

  • Ensure that effective controls and processes are implemented to identify, assess, manage, monitor, report and mitigate technology and cyber risks throughout the TPP’s life cycle, from due diligence to termination/exit.

  • Establish Cloud-specific requirements.

5. Technology Resilience – To ensure that Technology services are delivered, as expected, through disruption.

  • The FRFI should establish and maintain an Enterprise Disaster Recovery Framework (EDRF).

  • The FRFI should perform scenario testing on disaster recovery capabilities to confirm its technology services operate as expected through disruption.

Interested stakeholders should submit their comments by February 9, 2022.


Recent Posts

See All

22/09/2022 - Coming into force of certain requirements regarding the Québec’s Act respecting the protection of personal information in the private sector, introduced by Bill 64, including but limited