Office of the Superintendent of Financial Institutions
The increasing frequency, severity and sophistication of cyber threats and attacks has resulted in an elevated risk profile for many organizations around the world, including federally regulated financial institutions (FRFIs) in Canada.
In October 2013, the Office of the Superintendent of Financial Institutions (OSFI) published its Cyber Security Self-Assessment to help FRFIs assess their level of cyber preparedness. Since then, this self-assessment has helped FRFIs prepare and improve their cyber security posture. However, digitalization of financial services is broadening the attack surface and introducing new entry points into FRFIs' technology environment, meaning institutions continue to be highly exposed to cyber risk. As a result, OSFI is enhancing its Cyber Security Self-Assessment to reflect the current cyber risk landscape in line with its strategic priorities.
FRFIs are encouraged to use this self-assessment or similar tools to assess their current level of cyber preparedness and to develop and maintain effective cyber security practices. As indicated in its Near-Term Plan of Prudential Policy, OSFI will establish new guidance for the sound management of technology and cyber risk. This self-assessment will supplement forthcoming guidance and will be refreshed regularly to keep abreast with the cyber risk landscape.
Further questions can be directed to Chris Suknundun, Managing Director, Technology Risk Division, at TRD@osfi-bsif.gc.ca.
The cyber risk rating levels referred to in this self-assessment are intended to help the FRFI gauge the maturity of individual security controls (in the Column "Controls"). Those control statements address best practices, cyber risk and related processes, documentation, roles and responsibilities, technologies and other cyber security safeguards, all of which are important to robust cyber security operations and for the FRFI's strategic cyber security program development.
The maturity level that the FRFI assigns to each control is intended to estimate the maturity of that control, with reference to the differentiated levels.
Those ratings are then applicable in highlighting controls which are maturing effectively, as well as those which will need more attention (i.e., to address deficiencies). Maturity levels are also informative, in discussions with OSFI, and for future Cyber Security planning within the FRFI.
In this regard, OSFI has identified Cyber Security maturity levels (1-to-5). Level "0" is technically a sixth level but it only indicates a lack of any progress with respect to the assessed control.
Note: for most of the Cyber Security controls listed, there will be inter-dependencies with other controls (e.g., Risk Assessment, implemented by the Cyber Security group, will be related to Risk Management, as addressed by risk managers including senior management). So, in the following statements, the term "controls" is sometimes used, although when the FRFI completes this assessment, and estimates maturity scores, those scores are to be assigned to each individual control, one at a time rather than collectively.