Technology and cyber risk management priorities bubble to the surface with the release of OSFI's Final B-13 Guidelines

Joanna Lewis Partner, Cybersecurity, Privacy and Financial Crime, PwC Canada 05 December, 2022

Prioritize OSFI's final B-13 requirements without breaking the bank

On July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI) released its final version of Guideline B-13, Technology and Cyber Risk Management. The Guideline will be effective as of January 1, 2024, to provide federally regulated financial institutions (FRFIs) with time to assess their programs and ensure compliance. The Guideline documents key components of sound management of technology and cyber risks, each of which has defined principles and expectations. 

OSFI recognizes that regulatory supervision of technology and cyber resilience has resulted in the strengthening of banks’ financial resilience, similar to the impact that regulators in the United Kingdom and United States have had. The focus on technology and cyber resilience is expected to ultimately improve a firm’s ability to absorb severe operational risk-related events that could cause significant failure or disruption in the Canadian financial system.

B-13 is part of a growing trend to strengthen regulatory oversight, not only from OSFI, but also from the Canadian federal government through its recent introduction of two bills:

  • C-27: Major reforms to federal privacy laws and new rules for artificial intelligence

    • For further information and our analysis of C-27, refer to this recent article

  • C- 26: Significant new cybersecurity requirements for federally regulated industries and new national security requirements for the telecommunications sector

Key differences between the Draft and Final versions of Guideline B-13 and impacts to organizations, along with information about next steps, are summarized below.

Our view 

We think it’s prudent that OSFI is taking this step to establish principles and expectations for the sound management of technology and cyber risks.

OSFI has introduced small refinements, adjustments and changes with the release of the Final B-13 Guideline. We’ve analyzed the changes and summarized our views on some of the pros and cons of the final version of B-13:

  • Simpler to follow: A key change in the Final Guideline was the streamlining of domains from five to three. OSFI achieved this by consolidating the previous Technology Resilience domain into the renamed Technology Operations and Resilience domain and by moving the third-party-related expectations into OSFI’s new draft of the B-10 Guideline, Third Party Risk Management. 

  • Less prescriptive: Through consultation with the financial services industry, OSFI learned that respondents found the expectations and examples documented within the Draft B-13 Guideline overly prescriptive. To provide FRFIs with more flexibility, and due to the fact that regulated entities vary in terms of their nature and size, a risk-based approach was emphasized in the Final Guideline. 

  • Clearer definitions and expectations: While the Draft Guideline defined technology and cyber risks as two separate concepts, OSFI consolidated the definitions and now more correctly describes cyber risk as being part of the broader technology risk domain. 

  • Recognition of modern development principles: System development life cycle and change management software practices, such as Agile and continuous development, have been incorporated into OSFI’s expectations. 

  • Specificity: While reducing the level of prescriptiveness has its advantages and will receive positive reactions from FRFIs, it can create gray areas and situations of non-compliance that could ultimately lead to less effective technology and cyber safeguards. 
  • Proportionality: B-13 doesn’t include the concept of proportionality, so small and medium-sized FRFIs may find it difficult to determine to what extent they have to invest in their technology and cyber risk program. It’s expected that proportionality will be introduced broadly as part of a revised E-21 Guideline, Operational Risk Management.

Which aspects might be challenging?

We’ve worked with and supported a number of FRFIs to enhance their cybersecurity and cyber risk management processes and technology, including in response to OSFI supervisory activities. We’ve found the following areas to be particularly important based on recent OSFI review findings and the level of complexity involved in addressing them:

  • Cloud security: Multi-cloud environments and cloud governance require considerations across all 16 principles of B-13. 

  • Data management: Inventorying, classifying and securing sensitive data and establishing protective controls to prevent data exfiltration.

  • Identity and access management (IAM): Role-based access control (RBAC) and privileged identities are becoming more of a focus, specifically with the continued proliferation of SaaS products.

  • Software development life cycle (SDLC): Establishing the consistent use of standardized DevSecOps pipelines, which should include embedded security requirements.

How relevant are previous NIST CSF and OSFI self-assessments in determining B-13 alignment?

Most organizations perform regular assessments of their cybersecurity program against industry and regulatory standards or frameworks. There is overlap between B-13 and other standards and frameworks. However, the new Guideline covers topics that haven’t previously been included to the same extent, especially given the fact that the scope of B-13 covers technology risk broadly and not just cyber risks. The table below compares at a high level B-13 and some of the more well-known frameworks and standards.

Degree to which B-13 covers other cybersecurity frameworks.
PwC Canada analysis
This chart shows the degree to which B-13 covers other cybersecurity frameworks. The  legend categories provided range from most coverage to least coverage and include: Not applicable, Adequate coverage, Minor gaps/lacking specificity, Substantial gaps/some coverage and Significant gaps/no coverage. The cybersecurity frameworks we are looking at in the vertical columns are: NIST CSF v1.1, OSFI Self-Assessment, OSFI Indicient Reporting and CRI Profile v1.2.  Each of these cybersecurity frameworks listed vertically are being looked at relative to larger categories and sub-categories in the horizontal rows. The first larger category is  Governance and Risk Management under which falls: Accountability and Organizational Structure, Technology and Cyber Strategy and Technology and Cyber Risk management Framework. The next category is for Technology Operations and Resilience, under which falls: Technology Architecture, Technology Asset management and Technology Project Management, System Development Life Cycle, Change and Release Management, Patch management, Incident and Problem Management, Technology Service Measurement and Monitoring and Disaster Recovery.  The final category is for Cyber Security, under which falls: Identify, Defend, Detect, and finally Respond, Recover and Learn. Overall, we observe that there are more gaps than adequate coverage with many of the sub-categories showing minor gaps/lacking specificity, substantial gaps/some coverage or significant gaps/no coverage.

What should you do between now and January 1, 2024?

As illustrated in our comparison above, results of previous maturity assessments may not be fully indicative of the level of compliance with B-13. While some of the larger or more mature FRFIs may find their existing technology and cyber risk management programs address the majority of OSFI’s expectations, other organizations will require significant uplift over the course of the next 14 months. 

We highly encourage FRFIs to be proactive and take the following actions to ensure full alignment with B-13 prior to January 1, 2024:

  • Conduct a current state assessment to determine your technology and cyber program’s maturity compared to the Final B-13 Guideline and identify areas requiring design or uplift. Prioritize into short-term (immediate quick wins) and long-term opportunities. 

  • Evaluate impact on stakeholders, data availability and quality, and technology considerations to upgrade your existing program to be in compliance with the Final B-13 Guideline. Plan for internal socialization with senior management to discuss cost impact and associated budget requirements.

Contact us

Joanna Lewis

Joanna Lewis

Partner, Cybersecurity, Privacy and Financial Crime, PwC Canada

Tel: +1 416 687 9139

Follow PwC Canada