On July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI) released its final Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and trust companies. FRFIs will need ensure that they have taken steps to comply with the requirements of the Guideline prior to it coming into effect on January 1, 2024.
It is noteworthy that as OSFI released the guidelines, it explained that one rationale for the Guideline was that the “risk environment has created an urgency for enhanced regulatory guidance for FRFIs […]”. This reasoning is consistent with OSFI’s recent focus and pronouncements on cybersecurity readiness and response. The Guideline is not intended to be a “one size fits all” approach, but should be implemented according to the FRFI’s specific risk structure and operational needs.
The Guideline is divided into three broad categories:
- Governance and Risk Management sets out the expectations for the formal accountability, leadership and structure of FRFIs, the cyber strategies they have in place, and their risk management framework and cybersecurity oversight.
- Technology Operations and Resilience sets out the expectations around management of risks related to the design, implementation, and recovery of technology assets and services.
- Cyber Security sets out the expectations for the management and oversight of cyber risk.
Read the full update here.