OSFI’s Technology and Cyber Risk Management Guideline: Part 1

On July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI) released its final Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and trust companies. FRFIs will need ensure that they have taken steps to comply with the requirements of the Guideline prior to it coming into effect on January 1, 2024. 

It is noteworthy that as OSFI released the guidelines, it explained that one rationale for the Guideline was that the “risk environment has created an urgency for enhanced regulatory guidance for FRFIs […]”. This reasoning is consistent with OSFI’s recent focus and pronouncements on cybersecurity readiness and response. The Guideline is not intended to be a “one size fits all” approach, but should be implemented according to the FRFI’s specific risk structure and operational needs. 

The Guideline is divided into three broad categories:

• Governance and Risk Management sets out the expectations for the formal accountability, leadership and structure of FRFIs, the cyber strategies they have in place, and their risk management framework and cybersecurity oversight.
• Technology Operations and Resilience sets out the expectations around management of risks related to the design, implementation, and recovery of technology assets and services.
• Cyber Security sets out the expectations for the management and oversight of cyber risk.

In this update, we discuss five key elements of the Guideline’s first two categories and provide practical tips for compliance. Our next update will take a deeper dive into the incident management, disaster recovery and cybersecurity matters set out in the Guideline.

1. Allocation of Resources 

A key theme that emerges throughout the Guideline is that FRFIs are expected to provide sufficient resourcing for managing technology risks and cyber risks. The Guideline not only sets out requirements to provide sufficient financial resources, but also personnel resources. FRFIs are expected to hire subject matter experts and ensure that responsibility for managing technology risk is assigned to senior officers within the organization, such as the head of IT, chief technology officer, chief information officer, head of cybersecurity or chief information security officer. Each senior officer’s role should be clearly defined, continuous training should be provided and FRFIs are expected to support a culture of awareness throughout the organization.

Resource allocation has been the primary challenge for many businesses (FRFIs included). Developing a detailed list of required resources (financial and personnel) helps crystalize the needs and makes it possible to better structure a plan on how to achieve this goal by working with human resources and other stakeholders.

2. Understanding and Managing Key Assets

FRFIs are expected to maintain a comprehensive and current inventory of key technology assets. The Guideline defines technology assets as “something tangible (e.g., hardware, infrastructure) or intangible (e.g., software, data, information) that needs protection and supports the provision of technology services.” 

The inventory should set out the latest updates and patching history to all technology assets. Technology assets are expected to be categorized based on criticality, and “crown jewels” should be identified, taking into consideration how these assets are used and what data may reside on them. 

Policies and processes should also be put into place for safe destruction or disposal of technology assets.  Furthermore, FRFIs should document approved baseline configurations for their technology assets, and should implement processes for identifying, assessing and remediating discrepancies from the approved baselines. 

While this may seem straightforward, for FRFIs that have national and global reach, multiple legacy systems and complex IT stacks, such an exercise can be lengthy and resource intensive. Nevertheless, OSFI expects FRFIs to have visibility on their critical assets and be able to respond to OSFI requests regarding these assets in the event of a reportable technology or cybersecurity incident.

3. System Development Life Cycle 

Another key requirement set out in the Guideline is the implementation of a system development life cycle (SDLC) process that achieves security and functionality, while ensuring systems and software perform as anticipated. 

FRFIs are expected to outline processes for each phase of the SDLC, including software development methodologies, as well as  establish control gates and ensure alignment with their SDLC framework and technology policies. When acquiring new software and systems, FRFIs should also conduct security risk assessments and impose control requirements on system implementation. From a maintenance standpoint and to ensure minimum disruption to an FRFI’s production environment, FRFIs are expected to develop a change and release management standards outlining key controls to ensure changes (including emergency changes) to technology are implemented in a controlled manner. Examples of standards include tracking changes and ensuring the same person cannot develop, authorize, execute and move code or release between production and testing environments.

While this requirement meets industry best practices, the key takeaway is the requirement by FRFIs to demonstrate to OSFI’s satisfaction that documented processes are in place that they are following when it comes to SDLCs. 

4. Governance and Risk Frameworks

The Guideline emphasizes the need for developing regulatory frameworks and plans regarding technology risk and governance matters. FRFIs are expected to align the organization’s technology and cyber risk framework with their enterprise risk management framework. While maintenance of organizational policies and standards are included important components, some key elements to also address in a technology and cyber risk management framework are emerging threats and technologies as well as processes for ensuring accountability and reporting to senior management. In addition, FRFIs should develop a technology architecture framework that supports the FRFI’s business, technology and security needs, ensuring governance, management, evolution and consistent implementation of IT infrastructure. FRFIs should consider infrastructure, emerging technologies and relevant data when developing this framework.

5. Strategic Alignment and Ongoing Monitoring

Overall, FRFIs should implement strategic plans that outline measurable business goals and objectives, and evolve with industry and legal requirements. Strategic plans should address planned changes in the FRFI’s technology, outline opportunities and threats and assess how to measure progress against strategic goals. One way of achieving this is to prepare a business-wide project management framework, and periodically measure, monitor and report on performance and associated risks. 

In addition, all technology assets should be monitored and maintained. Maintenance includes ensuring implementation of software patches in a timely manner and reviewing performance of technology assets regularly. Performance monitoring also extends to external vendors engaged by an FRFI. For instance, any agreements with third party vendors should include requirements to ensure the vendor meets performance indicators and provides remediation when the targets are not met.

FRFIs are also expected to regularly review all plans, policies and processes and ensure alignment with changes in the FRFI’s internal and external technology environment.