OSFI’s Technology and Cyber Risk Management Guideline: Part 2

In July of this year, the Office of the Superintendent of Financial Institutions (OSFI) released the final version of its Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and trust companies. FRFIs will need to ensure that they have taken steps to comply with the requirements of the Guideline prior to it coming into effect on January 1, 2024.   

In our previous publication regarding this Guideline, we discussed key themes and practical tips addressed in the Guideline’s first two categories, namely (i) Governance and Risk Management; and (ii) Technology Operations and Resilience.  In this update, we will be taking a closer look at some of the key requirements set out in the Guideline concerning incident and problem management, disaster recovery and cybersecurity.

Identification and evaluation of cybersecurity weaknesses

A key requirement set out in the Guideline is the need for FRFIs to implement processes to effectively identify and evaluate technology incidents, cybersecurity threats and security vulnerabilities.  

Furthermore, FRFIs are expected to define clear, responsive and risk-based incident management procedures.  These procedures should define standards for identifying and classifying incidents based on their impact on business services. To achieve this, FRFIs should establish a cyber incident taxonomy that includes classification categories based on, for example, severity, category, type and root cause.

FRFIs are also expected to maintain continuous situational awareness of the threats directly facing their technology assets and any vulnerabilities in their technology assets. OSFI notes in the Guideline that threats should be proactively identified through conducting threat assessments and/or through subscribing to sources of reputable threat information (i.e., threat intelligence services). Once identified, the threats and vulnerabilities should then be ranked based on the severity level and risk exposure to the FRFI’s technology assets. To identify vulnerabilities, FRFIs should define and implement processes to conduct vulnerability assessments (e.g., penetration testing and vulnerability assessments) of its technology assets on a regular basis.  The scope, frequency, and potential impact of such testing should be clearly defined by the FRFI.   

Proactive identification and evaluation of cybersecurity vulnerabilities will enable FRFIs to conduct remediation activities in a prompt and prioritized fashion, and will help prevent major cyber incidents. 

Implementing an enterprise disaster recovery program

Among other obligations, the Guideline requires FRFIs to establish and maintain an enterprise disaster recovery program (EDRP) that sets out the FRFI’s approach to recovering technology services during a disruption. An effective EDRP requires the development of procedures and capabilities to recover technology services to an acceptable level in a timely manner following a disruption. The Guideline does not specify baselines regarding acceptable level and timeframe, but instead notes that acceptable level and timeframe should be identified by the FRFIs.

The Guideline emphasizes the need for conducting regular testing to ensure that the incident management procedures and the EDRP are operating effectively, and that cybersecurity-related vulnerabilities are being proactively identified and addressed. Testing should cover backup and recovery capabilities as well as critical third-party technologies and integration points. Testing scenarios should be forward-looking and should account for (i) new and emerging risks or threats; (ii) material changes to business objectives or technologies; (iii) situations that may lead to prolonged outage; and (iv) previous incident history and known technology weaknesses.

Preventative cybersecurity controls

The Guideline recommends that cybersecurity controls should be multi-layered and should be designed to be preventive rather than detective – which is consistent with the “defence in depth” model commonly employed by cybersecurity engineers. FRFIs should consider deploying additional layers of security controls for its critical and external-facing technology assets.  FRFIs are also expected to minimize its attack surface as much as possible to mitigate any cybersecurity risks.

Controls should also be implemented to identify, classify and protect both structured and unstructured data based on their confidentiality classification. To assist in the protection of data throughout its life cycle, FRFIs should also implement data loss prevention capabilities and controls for data at rest, in transit and in use. 

When feasible, FRFIs are expected to maintain cybersecurity models to identify threats faced by its technology assets and services. As part of the effort to identify threats on a proactive basis, the Guideline also notes that FRFIs should use manual techniques (e.g. review by an individual rather than an automated detection tool) to identify and isolate threats that may not be detected by automated means. 

In addition to technological controls, physical access controls and processes need to be implemented to protect network infrastructure and other technology assets from unauthorized access and environmental hazards. 

While policies are important, ensuring implementation of proper controls plays a crucial role in guarding against cyber incidents.

Continuous learning and improvement

The Guideline requires FRFIs to establish processes and procedures to ensure ongoing learning and improvement, including learning from security incidents.  

As set out in the Guideline, FRFIs are expected to conduct post-incident investigations for incidents where technology assets have been materially exposed. Depending on the severity of the incident, FRFIs may need to conduct a detailed post-incident assessment to determine the impact of the incident and the root cause of the incident. Root cause analysis should identify and assess any threats, weaknesses and vulnerabilities in its people, processes, technology and data.  FRFIs are expected to use the findings from the post-incident investigations to identify remediation actions and improve incident management procedures.

Processes aimed at continuous monitoring and improvement are essential for an FRFI to ensure compliance with the Guideline.

The authors wish to thank Sandeep Patel, law student, for his contribution to this legal update.