Lead your OSFI B-13 compliance program

Background:

In early 2022, the Office of the Superintendent of Financial Institutions (OSFI) introduced the initial draft of Guideline B-13: Technology and Cyber Risk Management. Subsequently, following thorough consultations with stakeholders in the financial sector, the guideline was made to be less prescriptive and the final version was unveiled in July 2022, with its implementation scheduled for January 1, 2024. The guideline was created to respond to the rising technology and cyber threats and risks. The guideline allows federally regulated financial institutions (FRFIs) to compete and fully utilize digital innovation while maintaining sound technology risk management. The guideline is to be used with other OSFI guidance, tools, supervisory communications, and guidance from the Canadian Centre for Cyber Security.

The guideline applies to all FRFIs without exception, but acknowledges that “there is no one-size-fits-all approach for managing technology and cyber risks”. ?The guideline is intended to be read, and implemented from a risk-based perspective.

The guideline is layered into three (3) domains listed below, each with a desired outcome supported by seventeen (17) general principles with fifty-six (56) controls.

1.????? The governance and risk management domain aims to ensure your technology and cyber risks are governed through clear management roles, responsibilities, and comprehensive strategies and frameworks.

2.????? The technology operations and resilience domain aims to ensure you achieve a stable, scalable, and resilient technology environment that is current and supported by robust and sustainable processes.

3.????? The cyber security domain aims to ensure you achieve a secure technology posture that maintains the confidentiality, integrity, and availability of your technology assets.

Approach and Methodology:

The guideline permits a self-assessment to achieve compliance. You should take a risk-based approach and see the guideline as a pick-list rather than a check-list. Those familiar with the ISO 27001 series can leverage the statement of applicability approach by conducting a risk assessment and implementing applicable controls from the guideline. Where a control from the guideline is not applicable, you should conduct a risk assessment to justify its inapplicability and ensure the control’s inapplicability does not materialize into a risk.

Compliance with other industry-recognized standards and frameworks such as ISO 27001:2022, NIST CSF etc., allows you to embrace a unified compliance framework (UCF) approach. Coolidge Solutions has conducted a traceable unified mapping of the guideline with other frameworks to reduce redundancies and overlapping requirements and facilitate a quick turnaround time when conducting a self-assessment against the guideline.

You should annually report your compliance with the guideline to applicable internal and external stakeholders with supplementary risk reports for inapplicable controls. We have created a self-assessment toolkit which provides a reporting dashboard across each layer (Domains, Principles, and Controls) and highlights your performance against the guideline.

Continuous Monitoring and Improvement:

Maintaining multiple compliance and frameworks across your organization can be tasking, requiring more people and technology resources. To maintain the technology and cyber risk posture achieved through the guideline, you should implement programs to continually monitor your risk posture, and identify applicable controls from the guideline alongside failing controls. You can leverage industry-leading automated governance, risk, and compliance solutions to achieve a seamless and efficient compliance program. We have established partnerships with leaders in this space.

Do you want to implement and maintain an efficient OSFI B-13 compliance program? Contact our team to learn more.