OSFI Publishes Its Response To Feedback Received On Draft Guideline B-13

On June 9, 2022, the Office of the Superintendent of Financial Institutions (OSFI) published its summary response to feedback received from stakeholders regarding draft Guideline B-13: Technology and Cyber Risk Management (Guideline B-13), that will apply to federally regulated financial institutions, as previously reported by the E-TIPS® Newsletter here. 

During a three-month consultation period, OSFI received feedback from interested stakeholders.  As a result of this feedback, OSFI implemented the following changes to the final Guideline B-13:

1. Less Prescriptive – The final Guideline B-13 will include fewer prescriptive expectations/examples, with added emphasis on approaching B-13 from a risk-based perspective.

2. Streamlined – The draft Guideline B-13 was organized into 5 different domains – Governance and Risk Management; Technology Operations; Cyber Security; Third-Party Provider Technology and Cyber Risk; and Technology Resilience.  The final Guideline B-13 will be organized into only 3 domains – Governance and Risk Management; Technology Operations and Resilience; and Cyber Security. 

• This was achieved by moving the Third-Party Provider Technology and Cyber Risk domain to Guideline B-10, and by combining the Technology Operations and Technology Resilience domain into a streamlined and renamed Technology Operations and Resilience domain.

3. Clear Definitions – Instead of having separate definitions for “technology risk” and “cyber risk” the final Guideline B-13 will only contain a single definition for “technology risk” that includes “cyber risk”.

4. Clear expectations – the final Guideline B-13 will contain more clear and consolidated expectations.  It will remove confusing or duplicative expectations and examples.

OSFI states that the final Guideline B-13 will be published in the coming weeks. We will provide a summary of the final Guideline B-13 following its release.

Summary By: Olalekan (Wole) Akinremi