OSFI releases new framework to strengthen financial institutions’ resilience to cyber-attacks

News release - Ottawa -

Today, the Office of the Superintendent of Financial Institutions (OSFI) released a framework to help identify areas where the financial sector could be vulnerable to sophisticated cyber-attack. The Intelligence Led Cyber Resilience Testing (I-CRT) framework outlines a methodology and serves as an implementation guide for federally regulated financial institutions (FRFIs) conducting I-CRT assessments.

As mentioned in OSFI’s Annual Risk Outlook, cyber-attacks continue to increase in frequency and sophistication as technology evolves and the use of third-party technoloygy providers grows. The I-CRT approach is used globally by regulators to enhance financial institutions’ technology and cyber resilience against sophisticated attacks. These attacks can potentially disrupt critical business functions, either at individual institutions or across the financial sector.

Under the I-CRT framework, OSFI provides guidance and oversight throughout the assessment, while FRFIs manage overall testing. Consistent with OSFI’s Guideline B-13 – Technology and Cyber Risk Management, OSFI expects FRFIs to have measures in place that create resilience against cyber attacks and disruptions. The I-CRT framework is a supervisory tool that supplements Guideline B-13 with I-CRT assessments that allow FRFIs to proactively identify and address issues with their cyber resilience.

The I-CRT framework currently applies to Canada’s systemically important banks (SIBs) and internationally active insurance groups (IAIGs). OSFI recommends that these institutions conduct an I-CRT assessment at least once during each three-year supervisory cycle, beginning in 2023.

Implemented appropriately, the I-CRT framework will strengthen federally regulated financial institutions’ ability to withstand sophisticated cyber attacks. Effectively managing cyber risk is an essential element of a federally regulated financial institutions’ cyber resilience. I would like to thank the institutions that participated in our pilot projects over the past 18 months – their outstanding contributions helped us develop this framework.

- Peter Routledge, Superintendent

Quick facts

  • The I-CRT framework differs from traditional technology and cyber security penetration testing in that it is intelligence-led for greater realism and detail, broader in scope thanks to its focus on critical business functions and associated realistic threat scenarios, and overseen by OSFI which allows for a consistent and coordinated approach among FRFIs.
  • The I-CRT framework was guided by 18 months of collaboration and consultation with industry, including a pilot project with FRFIs in the banking and insurance sectors.


OSFI – Media Relations