On June 9, 2022, the Office of the Superintendent of Financial Institutions (OSFI) published its summary response to feedback received from stakeholders regarding draft Guideline B-13: Technology and Cyber Risk Management (Guideline B-13), that will apply to federally regulated financial institutions, as previously reported by the E-TIPS® Newsletter here.
During a three-month consultation period, OSFI received feedback from interested stakeholders. As a result of this feedback, OSFI implemented the following changes to the final Guideline B-13:
- Less Prescriptive – The final Guideline B-13 will include fewer prescriptive expectations/examples, with added emphasis on approaching B-13 from a risk-based perspective.
- Streamlined – The draft Guideline B-13 was organized into 5 different domains – Governance and Risk Management; Technology Operations; Cyber Security; Third-Party Provider Technology and Cyber Risk; and Technology Resilience. The final Guideline B-13 will be organized into only 3 domains – Governance and Risk Management; Technology Operations and Resilience; and Cyber Security.
- This was achieved by moving the Third-Party Provider Technology and Cyber Risk domain to Guideline B-10, and by combining the Technology Operations and Technology Resilience domain into a streamlined and renamed Technology Operations and Resilience domain.
- Clear Definitions – Instead of having separate definitions for “technology risk” and “cyber risk” the final Guideline B-13 will only contain a single definition for “technology risk” that includes “cyber risk”.
- Clear expectations – the final Guideline B-13 will contain more clear and consolidated expectations. It will remove confusing or duplicative expectations and examples.
OSFI states that the final Guideline B-13 will be published in the coming weeks. We will provide a summary of the final Guideline B-13 following its release.
Summary By: Olalekan (Wole) Akinremi