Consultation on New OSFI Guideline B-13 on Technology and Cyber Risk Management | Blake, Cassels & Graydon LLP


On November 9, 2021, the Workplace of the Superintendent of Monetary Establishments (OSFI) launched a three-month public session on a brand new Draft Guideline B‑13: Technology and Cyber Risk Management (Draft Guideline). The publication of the brand new Draft Guideline follows OSFI’s consultation on technology risks in the financial sector that was launched in September 2020 (see our Blakes Bulletin: Technology Risks and Resilience in the Financial Sector: OSFI Issues Digital Risks Discussion Paper.) OSFI issued a summary of the suggestions obtained from this earlier session in Might 2021, which can also be addressed within the Draft Guideline and associated OSFI letter.
 
The Draft Guideline will apply to all federally regulated monetary establishments (FRFIs), together with banks, insurers, and belief and mortgage corporations. No exceptions are recognized for Canadian branches of approved international banks and international insurers, though OSFI notes that FRFIs are to implement the Draft Guideline commensurate with their measurement, the character, scope and complexity of their operations, and danger profile. 
 
The brand new Draft Guideline will complement, reasonably than change, OSFI’s current pointers and instruments on operational danger administration and outsourcing, together with Pointers E‑21: Operational Risk Management B‑10: Outsourcing of Business Activities, Functions and Processes and the lately up to date Cyber Security Self-Assessment and Technology and Cyber Security Incident Reporting Advisory. OSFI additionally reiterates its intention to assessment current steerage on outsourcing and operational danger administration sooner or later.
 
The Draft Guideline units out OSFI’s expectations for administration of data know-how and cyber dangers. It’s organized into 5 domains: governance and danger administration, know-how operations, cyber safety, third-party supplier know-how and cyber danger, and know-how resilience. For every area, OSFI specifies a desired end result and units out considerably prescriptive rules. Every of the domains and the associated end result expectations and guiding rules are summarized within the desk set out beneath.
 
OSFI’s goal in adopting this layered strategy is to afford flexibility to FRFIs in keeping with principles-based steerage whereas offering adequate readability on regulatory expectations. As famous beneath, OSFI is particularly searching for feedback from the business on whether or not the Draft Guideline strikes the best steadiness between prescriptive and principles-based approaches to regulatory steerage.
 
The said outcomes and the extra particular rules for every of the 5 domains are summarized within the desk set out beneath. 
 
OSFI’s expectations are supposed to be technology-neutral (for instance, OSFI shouldn’t be advancing expectations particular to quantum computing) and purpose to assist FRFIs in growing higher resilience to know-how and cyber dangers. The Draft Guideline units out particular definitions for know-how danger and cyber danger.

  • Expertise danger is outlined as the chance arising from the inadequacy, disruption, failure, loss or malicious use of data know-how methods, infrastructure, folks or processes that allow and assist enterprise wants and may end up in monetary loss. OSFI clarifies that know-how within the Draft Guideline refers to info know-how.

  • Cyber danger or cyber safety danger is outlined as the chance of economic loss, operational disruption or reputational harm from the unauthorized entry, malicious and non-malicious use, failure, disclosure, disruption, modification or destruction of a FRFI’s info know-how methods and/or the information contained therein. OSFI additionally clarifies that the time period cyber additionally refers to info safety.

OSFI’s session, which is open till February 9, 2022, invitations feedback on the Draft Guideline with a specific concentrate on the next points:

  • Readability of OSFI’s expectations within the Draft Guideline

  • Software of the OSFI expectations, commensurate with FRFI’s measurement, nature, scope, and complexity of operations

  • Stability between principles-based strategy and prescriptiveness in OSFI’s expectations

OSFI is anticipated to carry an info session in respect of the Draft Guideline throughout the subsequent few weeks. 

Draft Guideline B-13: Domains, Outcomes and Ideas

DOMAIN 1: Governance and Threat Administration

Formal accountability, management, organizational construction and framework used to assist know-how and cyber safety danger administration and oversight

Anticipated End result: Expertise and cyber dangers are ruled by means of clear accountabilities and constructions, and complete methods and frameworks. Precept 1: Accountability and Organizational Construction
Senior Administration ought to assign accountability for managing know-how and cyber dangers to senior officers. It also needs to guarantee an acceptable organizational construction and ample resourcing are in place for managing know-how and cyber dangers throughout FRFI.
Precept 2: Expertise and Cyber Technique
FRFI ought to outline, doc, approve and implement a strategic know-how and cyber plan(s). The plan(s) ought to align to FRFI’s enterprise technique and set objectives and aims which might be measurable and evolve with adjustments in FRFI’s know-how and cyber surroundings.
Precept 3: Expertise and Cyber Threat Administration Framework
FRFI ought to set up a know-how and cyber danger administration framework. The framework ought to set out a danger urge for food for know-how and cyber dangers, and outline what processes and necessities the FRFI makes use of to establish, assess, handle, monitor and report on know-how and cyber dangers

DOMAIN 2: Expertise Operations 

Administration and oversight of dangers associated to the design, implementation and administration of know-how property and companies

Anticipated End result: A know-how surroundings that’s steady, scalable and resilient. The surroundings is stored present and supported by sturdy and sustainable know-how working processes. Precept 4: Expertise Structure
FRFI ought to implement a know-how structure framework, with supporting processes to make sure options are constructed according to enterprise, know-how and safety necessities.

Precept 5: Expertise Asset Administration
FRFI ought to preserve an up to date stock of all know-how property supporting enterprise processes or features. FRFI’s asset administration course of ought to deal with classification of property to facilitate danger identification and evaluation, report configurations to make sure asset integrity, present for the secure disposal of property on the finish of their life cycle, and monitor and handle know-how foreign money.

Precept 6: Expertise Undertaking Administration
Efficient processes are in place to manipulate and handle know-how initiatives, from initiation to closure, to make sure that venture outcomes are aligned with enterprise aims and are achieved inside FRFI’s danger urge for food.

Precept 7: System Growth Life Cycle (SDLC)
FRFI ought to implement an SDLC framework for the safe growth, acquisition and upkeep of know-how methods that carry out as anticipated in assist of enterprise aims.

Precept 8: Change and Launch Administration
FRFI ought to set up and implement a know-how change and launch administration course of and supporting documentation to make sure adjustments to know-how property are documented, assessed, examined, permitted, applied and verified in a managed method that ensures minimal disruption to the manufacturing surroundings.

Precept 9: Patch Administration
FRFI ought to implement patch administration processes to make sure managed and well timed utility of patches throughout its know-how surroundings to handle vulnerabilities and flaws.

Precept 10: Incident and Downside Administration
FRFI ought to successfully detect, log, handle, resolve, monitor and report on know-how incidents and reduce their impacts.

Precept 11: Expertise Service Measurement and Monitoring
FRFI ought to develop service and capability requirements, and processes to observe operational administration of know-how, making certain enterprise wants are met.

DOMAIN 3: Cybersecurity

 Administration and oversight of cyber danger

Anticipated End result: A safe know-how posture that maintains the confidentiality, integrity and availability of FRFI’s know-how property.
 
Precept 12: Establish
FRFI ought to preserve a variety of practices, capabilities, processes and instruments to establish and assess cyber-security for weaknesses that may very well be exploited by exterior and insider menace actors.

Precept 13: Defend
FRFI ought to design, implement and preserve multi-layer, preventive cyber safety controls and measures to safeguard its know-how property.

Precept 14: Detect
FRFI designs, implements and maintains steady safety detection capabilities to allow monitoring, alerting, and allow forensic cyber safety incident investigations.

Precept 15: Reply, Get well and Be taught
FRFI ought to triage, reply to, include, get well and study from cyber safety incidents impacting its know-how property, together with incidents originating at third-party suppliers.

Area 4: Third-Get together Supplier Expertise and Cyber Risok

Units expectations for FRFIs that have interaction with third-party suppliers to acquire know-how and cyber companies and/or different companies that give rise to cyber and/or know-how danger

OUTCOME: Dependable and safe know-how and cyber operations from third-party suppliers Precept 16:
FRFI ought to make sure that efficient controls and processes are applied to establish, assess, handle, monitor, report and mitigate know-how and cyber dangers all through the third-party supplier’s life cycle, from due diligence to termination/exit.

DOMAIN 5: Expertise Resilience

Capabilities to ship know-how companies by means of operational disruption

Anticipated End result: Expertise companies are delivered, as anticipated, by means of disruption Precepts 17 and 18: Catastrophe Restoration
FRFI ought to set up and preserve an enterprise catastrophe restoration framework to assist its means to ship know-how companies by means of disruption and function inside its danger tolerance.

FRFI ought to carry out state of affairs testing on catastrophe restoration capabilities to substantiate its know-how companies function as anticipated by means of disruption.
 

 



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous post The Cop26 message? We are trusting big business, not states, to fix the climate crisis | Adam Tooze
Next post ‘Razor-sharp precision’: Russia hails anti-satellite weapons test