The Office of the Superintendent of Financial Institutions (OSFI) has released its final Guideline B-13 Technology and Cyber Risk Management, which sets out OSFI’s expectations for federally regulated financial institutions (FRFIs) with respect to how they should manage technology and cyber risks. The guideline is organized into the following three parts: Governance and Risk Management, Technology Operations and Resilience and Cyber Security.

The section on Governance and Risk Management covers topics such as expectations for the accountability and organizational structure regarding the management of technology and cyber risks by senior officers, the preparation of a strategic technology and cyber plan, and the establishment of a technology and cyber risk management framework. The section on Technology Operations and Resilience discusses the implementation of a technology architecture framework, maintaining an inventory of all technology assets supporting business processes or functions, and change and release management. With respect to Cyber Security, the Guideline references the importance of conducting intelligence-led threat assessment and testing, and ensuring FRFIs maintain situational awareness of the cyber threat landscape. Regular testing of employees to assess cyber threat awareness is also mentioned.

The Guideline will be effective for FRFIs as of January 1, 2024. For additional information and commentary, please see the article included in BLG’s Resource Corner below. While the Guideline does not apply to non FRFIs, securities dealers and advisers may still find some of the recommendations for managing technology assets, as well as the guidelines for cyber security management, helpful.

August 17, 2022