Office of the Superintendent of Financial Institutions
The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile for many organizations around the world. As a result, significant attention has recently been paid to the overall level of preparedness against such attacks by these organizations, including financial institutions, critical infrastructure providers, regulatory bodies, the media and the public at large.
Cyber security is growing in importance due to factors such as the continued and increasing reliance on technology, the interconnectedness of the financial sector, as well as the critical role that federally regulated financial institutions (FRFIs) play in the overall economy. OSFI thus expects FRFI Senior Management to review cyber risk management policies and practices to ensure that they remain appropriate and effective in light of changing circumstances and risks.
OSFI recognizes that many FRFIs may have already conducted, or may be in the process of conducting, an assessment of their current level of preparedness. With this in mind, OSFI believes that they could benefit from guidance related to such self-assessment activities. Consequently, it is sharing the annexed cyber security self-assessment guidance to assist FRFIs in their self-assessment activities.
FRFIs are encouraged to use this template or similar assessment tools to assess their current level of preparedness, and to develop and maintain effective cyber security practices. OSFI does not currently plan to establish specific guidance for the control and management of cyber risk. Notwithstanding, and in line with its enhanced focus on cyber security as highlighted in its Plan and Priorities for 2013-2016, OSFI may request institutions to complete the template or otherwise emphasize cyber security practices during future supervisory assessments.
Further questions can be directed to Mohamad Al-Bustami, Managing Director, Technology Risk Division, at (416) 973 2088 or TRD@osfi-bsif.gc.ca.
This self-assessment template sets out desirable properties and characteristics of cyber security practices that could be considered by a FRFI when assessing the adequacy of its cyber security framework and when planning enhancements to its framework. FRFIs are encouraged to reflect the current state of cyber security practices in their assessments rather than their target state, and consider cyber security practices on an enterprise-wide basis. If a FRFI employs relevant practices that are not described in the template, it is encouraged to list them and their related assessments.
OSFI suggests that FRFIs rate their current degree of maturity on a 1 to 4 scale and provide sufficient justification in all circumstances. A suggested definition of each of the ratings is provided below.
The self-assessment template can be found below:
The FRFI maintains a current enterprise-wide knowledge base of its users, devices, applications and their relationships, including but not limited to
The FRFI has implemented tools to
The FRFI has implemented the following security tools and provides for their currency, automated updates, and enterprise-wide application:
The FRFI’s incident management process is designed to ensure that the following tasks are fully completed before an incident can be formally closed:
The FRFI has an established post incident review process that
Cyber Security Framework: A complete set of organizational resources including policies, staff, processes, practices and technologies used to assess and mitigate cyber risks and attacks.
Return to footnote 1 referrer
Cyber Security Policy: A set of documented and authorized principles that set out how the Cyber Security Program is to be governed and executed.
Return to footnote 2 referrer
Refer to the Corporate Governance Guideline for additional guidance in this area.
Return to footnote 3 referrer