On November 9, 2021, the Workplace of the Superintendent of Monetary Establishments (OSFI) launched a three-month public session on a brand new Draft Guideline B‑13: Technology and Cyber Risk Management (Draft Guideline). The publication of the brand new Draft Guideline follows OSFI’s consultation on technology risks in the financial sector that was launched in September 2020 (see our Blakes Bulletin: Technology Risks and Resilience in the Financial Sector: OSFI Issues Digital Risks Discussion Paper.) OSFI issued a summary of the suggestions obtained from this earlier session in Might 2021, which can also be addressed within the Draft Guideline and associated OSFI letter.
The Draft Guideline will apply to all federally regulated monetary establishments (FRFIs), together with banks, insurers, and belief and mortgage corporations. No exceptions are recognized for Canadian branches of approved international banks and international insurers, though OSFI notes that FRFIs are to implement the Draft Guideline commensurate with their measurement, the character, scope and complexity of their operations, and danger profile.
The brand new Draft Guideline will complement, reasonably than change, OSFI’s current pointers and instruments on operational danger administration and outsourcing, together with Pointers E‑21: Operational Risk Management B‑10: Outsourcing of Business Activities, Functions and Processes and the lately up to date Cyber Security Self-Assessment and Technology and Cyber Security Incident Reporting Advisory. OSFI additionally reiterates its intention to assessment current steerage on outsourcing and operational danger administration sooner or later.
The Draft Guideline units out OSFI’s expectations for administration of data know-how and cyber dangers. It’s organized into 5 domains: governance and danger administration, know-how operations, cyber safety, third-party supplier know-how and cyber danger, and know-how resilience. For every area, OSFI specifies a desired end result and units out considerably prescriptive rules. Every of the domains and the associated end result expectations and guiding rules are summarized within the desk set out beneath.
OSFI’s goal in adopting this layered strategy is to afford flexibility to FRFIs in keeping with principles-based steerage whereas offering adequate readability on regulatory expectations. As famous beneath, OSFI is particularly searching for feedback from the business on whether or not the Draft Guideline strikes the best steadiness between prescriptive and principles-based approaches to regulatory steerage.
The said outcomes and the extra particular rules for every of the 5 domains are summarized within the desk set out beneath.
OSFI’s expectations are supposed to be technology-neutral (for instance, OSFI shouldn’t be advancing expectations particular to quantum computing) and purpose to assist FRFIs in growing higher resilience to know-how and cyber dangers. The Draft Guideline units out particular definitions for know-how danger and cyber danger.
Expertise danger is outlined as the chance arising from the inadequacy, disruption, failure, loss or malicious use of data know-how methods, infrastructure, folks or processes that allow and assist enterprise wants and may end up in monetary loss. OSFI clarifies that know-how within the Draft Guideline refers to info know-how.
Cyber danger or cyber safety danger is outlined as the chance of economic loss, operational disruption or reputational harm from the unauthorized entry, malicious and non-malicious use, failure, disclosure, disruption, modification or destruction of a FRFI’s info know-how methods and/or the information contained therein. OSFI additionally clarifies that the time period cyber additionally refers to info safety.
OSFI’s session, which is open till February 9, 2022, invitations feedback on the Draft Guideline with a specific concentrate on the next points:
Readability of OSFI’s expectations within the Draft Guideline
Software of the OSFI expectations, commensurate with FRFI’s measurement, nature, scope, and complexity of operations
Stability between principles-based strategy and prescriptiveness in OSFI’s expectations
OSFI is anticipated to carry an info session in respect of the Draft Guideline throughout the subsequent few weeks.
Draft Guideline B-13: Domains, Outcomes and Ideas
DOMAIN 1: Governance and Threat Administration
Formal accountability, management, organizational construction and framework used to assist know-how and cyber safety danger administration and oversight
|Anticipated End result: Expertise and cyber dangers are ruled by means of clear accountabilities and constructions, and complete methods and frameworks.||Precept 1: Accountability and Organizational Construction
Senior Administration ought to assign accountability for managing know-how and cyber dangers to senior officers. It also needs to guarantee an acceptable organizational construction and ample resourcing are in place for managing know-how and cyber dangers throughout FRFI.
Precept 2: Expertise and Cyber Technique
FRFI ought to outline, doc, approve and implement a strategic know-how and cyber plan(s). The plan(s) ought to align to FRFI’s enterprise technique and set objectives and aims which might be measurable and evolve with adjustments in FRFI’s know-how and cyber surroundings.
Precept 3: Expertise and Cyber Threat Administration Framework
FRFI ought to set up a know-how and cyber danger administration framework. The framework ought to set out a danger urge for food for know-how and cyber dangers, and outline what processes and necessities the FRFI makes use of to establish, assess, handle, monitor and report on know-how and cyber dangers
DOMAIN 2: Expertise Operations
Administration and oversight of dangers associated to the design, implementation and administration of know-how property and companies
|Anticipated End result: A know-how surroundings that’s steady, scalable and resilient. The surroundings is stored present and supported by sturdy and sustainable know-how working processes.||Precept 4: Expertise Structure
FRFI ought to implement a know-how structure framework, with supporting processes to make sure options are constructed according to enterprise, know-how and safety necessities.
Precept 5: Expertise Asset Administration
Precept 6: Expertise Undertaking Administration
Precept 7: System Growth Life Cycle (SDLC)
Precept 8: Change and Launch Administration
Precept 9: Patch Administration
Precept 10: Incident and Downside Administration
Precept 11: Expertise Service Measurement and Monitoring
DOMAIN 3: Cybersecurity
Administration and oversight of cyber danger
|Anticipated End result: A safe know-how posture that maintains the confidentiality, integrity and availability of FRFI’s know-how property.
||Precept 12: Establish
FRFI ought to preserve a variety of practices, capabilities, processes and instruments to establish and assess cyber-security for weaknesses that may very well be exploited by exterior and insider menace actors.
Precept 13: Defend
Precept 14: Detect
Precept 15: Reply, Get well and Be taught
Area 4: Third-Get together Supplier Expertise and Cyber Risok
Units expectations for FRFIs that have interaction with third-party suppliers to acquire know-how and cyber companies and/or different companies that give rise to cyber and/or know-how danger
|OUTCOME: Dependable and safe know-how and cyber operations from third-party suppliers||Precept 16:
FRFI ought to make sure that efficient controls and processes are applied to establish, assess, handle, monitor, report and mitigate know-how and cyber dangers all through the third-party supplier’s life cycle, from due diligence to termination/exit.
DOMAIN 5: Expertise Resilience
Capabilities to ship know-how companies by means of operational disruption
|Anticipated End result: Expertise companies are delivered, as anticipated, by means of disruption||Precepts 17 and 18: Catastrophe Restoration
FRFI ought to set up and preserve an enterprise catastrophe restoration framework to assist its means to ship know-how companies by means of disruption and function inside its danger tolerance.
FRFI ought to carry out state of affairs testing on catastrophe restoration capabilities to substantiate its know-how companies function as anticipated by means of disruption.