Canada’s Office of the Superintendent of Financial Institutions (OSFI) has published its final Guideline B-13, which sets out OSFI's expectations for how federally regulated financial institutions (FRFIs) should manage technology and cyber risks such as data breaches, technology outages and more.
Guideline B-13 is organized around three ‘domains’, each of which sets out key components for sound risk management. The domains are:
Governance and Risk Management, Technology Operations and Resilience, and Cyber Security.
Regulated entities have until January 1, 2024, to comply, to give sufficient time to self-assess and put appropriate processes in place.
Guideline B-13 is the product of an extensive consultation process, starting with the September 2020 publication of a discussion paper and a consultation period from September to December 2020. Following the release of OSFI's draft Guideline B-13 in November 2021, OSFI further consulted on its proposed guidance regarding technology and cyber risk from November 2021 to February 2022.
Guideline B-13 is complemented by OSFI's existing guidance and tools, including the Corporate Governance Guideline, Guideline E‑21 (Operational Risk Management), the revised draft Guideline B‑10 (Third-Party Risk Management), the Technology and Cyber Security Incident Reporting Advisory and the Cyber Security Self-Assessment tool.