OSFI releases new guideline for technology and cyber risk, balancing innovation with risk management

Today, the Office of the Superintendent of Financial Institutions (OSFI) released its final Guideline B-13. This guideline sets out OSFI’s expectations for how federally regulated financial institutions (FRFIs) should manage technology and cyber risks such as data breaches, technology outages and more.

The widespread use of technology and the growing rate of cyber incidents has created an urgent need for enhanced regulatory guidance to FRFIs on technology and cyber risk management. OSFI’s final Guideline B-13 provides that guidance, while allowing FRFIs to compete effectively and take full advantage of digital innovation.

The Guideline is organized around three “domains,” each of which sets out key components for sound risk management: Governance and Risk Management, Technology Operations and Resilience, and Cyber Security. In turn, each of these domains includes a desired outcome aimed at helping FRFIs understand OSFI’s expectations, focusing on the “why” and “to what end” of technology and cyber risk management.

The final Guideline B-13 will be effective as of January 1, 2024, to provide financial institutions sufficient time to self-assess and ensure compliance with this new guideline.

“With today’s release of final Guideline B-13, OSFI has crafted a flexible, principles-based approach towards managing technology and cyber risk that takes into consideration the size, nature, scope and complexity of financial institutions.”

- Jamey Hubbs, Vice-Superintendent