December 6, 2023

Tullio Corradini

Trusted Legal Source

OSFI Adds to its Existing Technology and Cyber Risk Requirements with Guideline B-13

OSFI Adds to its Existing Technology and Cyber Risk Requirements with Guideline B-13

OSFI Provides to its Current Technology and Cyber Hazard Specifications with Guideline B-13

July 26, 2022
Privateness and Knowledge Stability Bulletin

3 minute read

On July 13, 2022, the Office environment of the Superintendent of Money Establishments (“OSFI”) issued its last Guideline B-13 – Technologies and Cyber Danger Administration (“Guideline B-13”).[1] Guideline B-13 is meant to support federally regulated economical institutions (“FRFIs”) build better resilience to technological know-how and cyber pitfalls, and is in addition to OSFI’s Technology and Cyber Stability Incident Reporting Advisory[2] (necessitating, inter alia, notification to the FRFI’s Guide Supervisor and OSFI’s Technology Hazard Division in composing of any reportable engineering and cyber security incidents inside of 24 hours or quicker) and Cyber Security Self-Evaluation[3] (made use of to assess an FRFI’s stage of cyber safety preparedness), each issued in August of 2021.

OSFI issued a draft model of Guideline B-13 in November 2021, and subsequently developed the guideline via a session method with crucial stakeholders. As in comparison with the November 2021 draft, Guideline B-13 is much more streamlined, less prescriptive in its expectations, and provides far more clarity in its definitions and expectations.[4]

Guideline B-13 focuses on the next three domains:

  1. Governance and Possibility Administration. This domain sets out OSFI’s anticipations for FRFI’s to have apparent obligations and structures, as very well as complete procedures and frameworks governing technological innovation and cyber chance (i.e., risk arising from the inadequacy, disruption, destruction, failure, problems from unauthorised entry, modifications, or malicious use of info technological innovation property, individuals or processes that help and help business enterprise desires, and can final result in economic decline and/or reputational problems). The emphasis of this area is on having a correct possibility management framework and organizational construction so that there is a very clear accountability procedure. Far more precisely, Guideline B-13 notes that senior management is accountable for directing the FRFI’s technology and cyber security functions, and ought to assign distinct obligation for technologies and cyber chance governance to senior officers. In addition, OSFI directs FRFIs to be proactive in anticipating the challenges and get ready for new difficulties as engineering evolves.
  2. Technologies Operations and Resilience. This domain sets out OSFI’s expectations for FRFIs to have a technology atmosphere that is stable, scalable and resilient. The technological know-how setting should really also be monitored to ensure it is recent and supported by sturdy and sustainable technological know-how operating and recovery procedures. This area discounts with a number of subject areas, including technological know-how architecture, asset management, project management, program advancement lifestyle cycle, implementation and patch management, problem management, checking, and catastrophe restoration.
  3. Cyber Protection. This domain sets out OSFI’s expectations for a protected technologies posture that maintains the confidentiality, integrity and availability of the FRFI’s technologies belongings. OSFI directs FRFIs to consider a proactive tactic in determining dangers and threats instead than reacting passively, and sets out the specifications to fulfill this aim. It also lists actions that should be in put to detect and defend in opposition to technologies and cyber threats (for illustration, making use of potent cryptographic technologies), as properly as to respond, recover and study from safety incidents.

The Guideline acknowledges that there is no 1 dimension matches all solution, and accordingly there can be adaptability in how FRFIs opt for to achieve the goals below each and every domain commensurate with the FRFI’s dimension, chance profile, and the mother nature, scope, and complexity of the FRFI’s operations.

Guideline B-13 will be helpful on January 1, 2024, supplying FRFIs time to self-assess and be certain compliance. FRFIs need to thoroughly evaluation Guideline B-13 to establish the extent to which their latest policies and strategies conform with the Guideline, and regardless of whether any amendments are important to keep on being compliant when the new Guideline comes into result.

Take note that related necessities have been created for provincially regulated monetary institutions more than the final number of years as well (for occasion, individuals observed in British Columbia’s Data Protection Guideline[5] or Saskatchewan’s Cyber Security Self-Assessment Questionnaire[6]).

If you have any inquiries about Guideline B-13 or how to produce powerful cyber safety plans and procedures, a member of McMillan’s Privacy and Data Protection Team would be delighted to help you.

[1] Technological know-how and Cyber Chance Management”, on the web: Workplace of the Superintendent of Economic Establishments (last modified July 13, 2022).
[2] Engineering and Cyber Security Incident Reporting”, on the web: Place of work of the Superintendent of Fiscal Institutions (last modified September 3, 2021).
[3] Cyber Protection Self-Evaluation”, on-line: Place of work of the Superintendent of Financial Institutions (past modified August 16, 2021).
[4] OSFI response to draft Guideline B-13 consultation suggestions – Engineering and Cyber Threat Administration“, on the web: Office environment of the Superintendent of Money Institutions (last modified June 9, 2022).
[5] Info Safety Guideline”, online: British Columbia Monetary Expert services Authority (last modified February 18, 2021).
[6] Cyber Security Self-Assessment Questionnaire”, on-line: Monetary and Buyer Affairs Authority of Saskatchewan.

by Darcy Ammerman, Robbie Grant, ZiJian Yang (Summer months Regulation University student)

A Cautionary Notice

The foregoing supplies only an overview and does not represent authorized tips. Readers are cautioned towards making any decisions centered on this substance by yourself. Instead, specific authorized information should really be attained.

© McMillan LLP 2022