OSFI releases final Guideline B-13 – Technology and Cyber Risk Management - Letter (2022)

Today, the Office of the Superintendent of Financial Institutions (OSFI) publishes final Guideline B-13 – Technology and Cyber Risk Management, which sets out expectations for the sound management of technology and cyber risk for federally regulated financial institutions (FRFIs). Guideline B-13 should be read, and implemented, from a risk-based perspective that allows FRFIs to compete effectively and take full advantage of digital innovation, while maintaining sound technology risk management.

Geopolitical tensions and the interconnectivity of the global financial system and technology-based infrastructures have heightened the threat of cyber-attacks. This risk environment has created an urgency for enhanced regulatory guidance for FRFIs on technology and cyber risk management.

Guideline B-13 will be effective on January 1, 2024, to provide FRFIs sufficient time to self-assess and ensure their compliance with this new guideline. As outlined in the OSFI response to draft Guideline B-13 consultation feedback, final Guideline B-13 is less prescriptive and streamlined with clearer definitions and clearer expectations.

Existing OSFI guidance and tools will complement Guideline B-13, including the Corporate Governance Guideline, Guideline E‑21 (Operational Risk Management),  the revised draft Guideline B‑10 (Third-Party Risk Management), the Technology and Cyber Security Incident Reporting Advisory and the Cyber Security Self-Assessment tool.