OSFI response to draft Guideline B-13 consultation feedback – Technology and Cyber Risk Management

Document Properties

• Type of Publication: Letter
• Date: June 9, 2022
• To: All Federally Regulated Financial Institutions

Today, the Office of the Superintendent of Financial Institutions (OSFI) publishes its summary response to feedback received during the three-month consultation on draft Guideline B-13. Final Guideline B-13 will be published in the coming weeks with several adjustments in response to consultation feedback. Guideline B-13 should be read from a risk-based perspective that allows federally regulated financial institutions (FRFIs) to compete effectively and take full advantage of digital innovation, while maintaining sound technology risk management.

As outlined below, final Guideline B-13 is less prescriptive and streamlined with clearer definitions and clearer expectations. In developing Guideline B-13, OSFI also considered stakeholder feedback in response to the fall 2020 discussion paper, Developing financial sector resilience in a digital world.

Summary Response to Consultation Feedback

Less Prescriptive

Many respondents found that, while the outcomes and principles were appropriate, the underlying expectations and examples were overly prescriptive in some areas, including paragraph 2.2.3 (Inventory captures all technology assets that support the business).

In response, OSFI removed several expectations and examples, including the deletion of paragraph 2.2.3. Language was also introduced to reinforce OSFI’s risk-based approach, notably that expectations and examples should always consider the unique risks and vulnerabilities that vary with a FRFI’s size, the nature, scope, and complexity of its operations, and its risk profile.

Streamlined

Several respondents suggested that expectations for third parties would be better placed in revised draft Guideline B-10 (Third-Party Risk Management). There was also notable concern among respondents with respect to how OSFI would ensure alignment of its non-financial risk expectations as it proceeds with new and revised Guidelines in other areas (B-13, B-10, and E-21 on operational risk).

In response, OSFI streamlined final Guideline B-13 to focus on three core domains: Governance and Risk Management; Technology Operations and Resilience; and Cyber Security. This was achieved by moving third party expectations to the revised draft Guideline B-10 (Third Party Risk Management), released for a three-month consultation ending July 27, 2022. Additionally, technology resilience expectations are now consolidated and streamlined within a renamed Technology Operations and Resilience domain.

Clearer Definitions

Some respondents suggested that OSFI adopt a single definition for “technology risk” that includes cyber risk to better establish cyber risk as a sub-risk of technology risk. Respondents also recommended that OSFI adopt definitions of international standard-setting bodies for technical terms or clarify that FRFIs may adopt the definitions of recognized standard-setting bodies.

In response, OSFI clarified the definitions in final Guideline B-13 by advancing a single definition of “technology risk” that includes cyber risk. OSFI also notes that Guideline B-13 definitions were informed by recognized standard-setting bodies. FRFIs may adopt definitions of recognized standard-setting bodies for any technical terms used in Guideline B-13.

Clearer Expectations

Many respondents found that, while the outcomes and principles were clear, the underlying expectations and examples were unclear and/or duplicative in some specific areas.

In response, OSFI clarified expectations in final Guideline B-13 and removed or consolidated expectations, where appropriate.