OSFI Launches Consultation On Draft Technology And Cyber Risk Management Guideline

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on E-TIPS™ For Deeth Williams Wall LLP on November 24, 2021.

On November 9, 2021, the Office of the Superintendent of Financial Institutions (OSFI) launched a public consultation on Draft Guideline B‑13: Technology and Cyber Risk Management (the Guideline). It applies to federally regulated financial institutions (FRFIs) and addresses OSFI’s expectations in relation to technology and cyber risks.

The Guideline is organized into five domains, with each domain describing OSFI’s desired outcome for FRFIs in a certain aspect of technology and cyber risk management:

  1. Governance and Risk Management: the FRFI has a clear framework and comprehensive strategy to govern technology and cyber risks.
  2. Technology Operations: there is a resilient and scalable technology environment in place that is kept up-to-date by robust operating processes.
  3. Cyber Security: the FRFI is able to maintain the confidentiality, integrity, and availability of technology assets.
  4. Third-Party Provider Technology and Cyber Risk: third-party providers deliver reliable and secure technology and cyber operations to the FRFI.
  5. Technology Resilience: the FRFI has proper disaster recovery capabilities that allows the delivery of technology services through operational disruption.

In its announcement of the consultation, OSFI commented on the importance of stakeholder engagement to strike the appropriate balance between its prudential objectives, while still allowing financial institutions to compete. Accordingly, OSFI welcomes public feedback on the Guideline and is especially interested in feedback that addresses the clarity and application of their outlined expectations, the balance between principles and prescriptiveness in these expectations, and other suggestions that relate to OSFI’s mandate.

The consultation is open until February 9, 2022 and comments can be submitted at Tech.Cyber@osfi-bsif.gc.ca.