Technology and cyber risk management self-assessment tool

Introduction

Cyber threats and evolving technologies increase risks to resilience and stability of Canada’s federally regulated financial institutions (institutions). We have updated our existing voluntary cyber security self-assessment tool to help institutions prepare and respond to current and emerging technology and cyber threats and risks. The enhanced technology and cyber risk management self-assessment tool (XLSX, 103KB) is now aligned with our Guideline B-13 - Technology and Cyber Risk Management, which remains the primary guideline for technology and cyber risk management. We have provided references to other OSFI guidelines for additional considerations, where relevant.

This voluntary, self-serve tool aims to help:

• assess the maturity of each process or control
• gauge preparedness for addressing technology and cyber risks
• identify control gaps and opportunities for risk remediation
• strengthen risk management practices across the organization

Institutions may leverage this self-assessment or similar frameworks to evaluate their current level of technology and cyber preparedness, and to support the development and maintenance of robust, effective practices.

Maturity rating scale

We have established a rating scale from 0 to 5 to assess the maturity of each process or control. A rating of 0 indicates that the process or control is currently non-existent.

These ratings indicate the maturity of each process or control, highlighting those performing effectively and identifying gaps for improvements. Additionally, maturity levels can provide valuable insights to support future risk management planning.