OSFI of Canada Guideline B-13 Compliance

Contactar con un experto

Volver a todos los casos de uso

Guideline B-13 and Third-Party Business Resilience

OSFI B-13 is a guideline issued by the Office of the Superintendent of Financial Institutions (OSFI) in Canada that outlines risk management requirements for developing greater resilience to technology and cyber risks – including those posted by third-parties.

Originally issued in July 2022, Guideline B-13 is organized into three domains, with each domain having a desired outcome that contributes to resilience against technology and cyber risks. Outcomes are supported by 17 Principles which in turn are supported by individual guidelines.

When it comes to third-party risk management, Guideline B-13 emphasizes the need for financial institutions to implement comprehensive strategies to manage risks associated with outsourcing and third-party relationships.

Requisitos pertinentes

  • Technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks.

  • A secure technology posture that maintains the confidentiality, integrity and availability of the FRFI’s technology assets.

  • A technology environment that is stable, scalable and resilient. The environment is kept current and supported by robust and sustainable technology operating and recovery processes.

Complying with OSFI Guideline B-13

Guideline B-13 presents 17 Principles for FRFIs to structure their risk management programs. These Principles are meant to contribute to the FRFI’s operational resilience. The summary table below maps Prevalent Third-Party Risk Management Platform capabilities to the most relevant principles.

NOTE: This table should not be considered comprehensive, definitive guidance. Consult your auditor for a complete list of requirements and see the complete OSFI guideline.

Principios Buenas prácticas en materia de gestión de las relaciones con los clientes

Domain: Governance and risk management

Este dominio establece las expectativas de OSFI para la responsabilidad formal, el liderazgo, la estructura organizativa y el marco utilizado para apoyar la gestión de riesgos y la supervisión de la tecnología y la seguridad cibernética.

Outcome: Technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks.

Principle 1: Senior Management should assign responsibility for managing technology and cyber risks to senior officers. It should also ensure an appropriate organizational structure and adequate resourcing are in place for managing technology and cyber risks across the FRFI.

Principle 2: FRFIs should define, document, approve and implement a strategic technology and cyber plan(s). The plan(s) should align to business strategy and set goals and objectives that are measurable and evolve with changes in the FRFI’s technology and cyber environment.

Prevalent experts collaborate with your team on defining and implementing TPRM processes and solutions in the context of your overall risk management approach; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence to termination and offboarding.

As part of this process, Prevalent helps you define:

  • Clear roles and responsibilities (e.g., RACI).
  • Third-party inventories.
  • Risk scoring and thresholds based on your organization’s risk tolerance.
  • Assessment and monitoring methodologies based on third-party criticality.
  • Fourth-party mapping to understand risk in your extended vendor ecosystem.
  • Sources of continuous monitoring data (cyber, business, reputational, financial).
  • Key performance indicators (KPIs) and key risk indicators (KRIs).
  • Governing policies, standards, systems and processes to protect data.
  • Compliance and contractual reporting requirements against service levels.
  • Incident response requirements.
  • Risk and internal stakeholder reporting.
  • Risk mitigation and remediation strategies.
Principle 3: FRFIs should establish a technology and cyber risk management framework (RMF). The framework should set out a risk appetite for technology and cyber risks and define FRFI’s processes and requirements to identify, assess, manage, monitor and report on technology and cyber risks. The Prevalent TPRM Platform features a large library of framework-specific risk assessments – such as ISO, NIST, or others. Leverage pre-built, framework-specific risk assessments to simplify controls mapping and reporting. A chosen framework should align with enterprise-level risk management requirements.

Domain: Technology operations and resilience

Este dominio establece las expectativas de OSFI para la "gestión y supervisión de los riesgos relacionados con el diseño, implementación, gestión y recuperación de activos y servicios tecnológicos".

Outcome: A technology environment that is stable, scalable and resilient. The environment is kept current and supported by robust and sustainable technology operating and recovery processes.
Principle 7: FRFIs should implement a System Development Life Cycle (SDLC) framework for the secure development, acquisition and maintenance of technology systems that perform as expected in support of business objectives. As part of the due diligence process, Prevalent can help your team analyze software bills of materials (SBOMs) for third party software products. This will help you identify any potential vulnerabilities or licensing issues that may impact your organization’s security and compliance posture.
Principle 10: FRFIs should effectively detect, log, manage, resolve, monitor and report on technology incidents and minimize their impacts.

Prevalent continuously track and analyze external threats to third parties. As part of this, Prevalent monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

Las fuentes de seguimiento incluyen:

  • Criminal forums; onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases.
  • Databases containing several years of data breach history for thousands of companies around the world.

Todos los datos de supervisión deben correlacionarse con los resultados de la evaluación y centralizarse en un registro de riesgos unificado para cada proveedor, agilizando las iniciativas de revisión de riesgos, elaboración de informes, corrección y respuesta.

Once all assessment and monitoring data is correlated into a central risk register, Prevalent applies risk scoring and prioritization according to a likelihood and impact model. This model should frame risks into a matrix, so you can easily see the highest impact risks and can prioritize remediation efforts on those.

Finally, with Prevalent you can assign owners and track risks and remediations to a level acceptable to the business.
Principle 11: FRFIs should develop service and capacity standards and processes to monitor operational management of technology, ensuring business needs are met. With Prevalent you can continually evaluate the effectiveness of your TPRM program according to changing business needs and priorities, measuring third-party vendor key performance indicators (KPIs) and key risk indicators (KRIs) through the relationship lifecycle.

Domain: Cyber security

Este dominio establece las expectativas de OSFI para la "gestión y supervisión del riesgo cibernético".

Outcome: A secure technology posture that maintains the confidentiality, integrity and availability of the FRFI’s technology assets.
Principle 14: FRFIs should maintain a range of practices, capabilities, processes and tools to identify and assess cyber security for weaknesses that could be exploited by external and insider threat actors. The Prevalent TPRM Platform features a large library of pre-built templates for third-party risk assessments. Assessments should be conducted at the time of supplier onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually) depending on material changes in the relationship.
Las evaluaciones deben gestionarse de forma centralizada y estar respaldadas por capacidades de flujo de trabajo, gestión de tareas y revisión automatizada de pruebas para garantizar que su equipo tenga visibilidad de los riesgos de terceros durante todo el ciclo de vida de la relación.

Y lo que es más importante, Prevalent incluye recomendaciones de corrección integradas basadas en los resultados de la evaluación de riesgos para garantizar que sus terceros abordan los riesgos de forma oportuna y satisfactoria y pueden proporcionar las pruebas adecuadas a los auditores.

As part of this process, Prevalent continuously tracks and analyzes external threats to third parties. All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives.
Principle 17: FRFIs should respond to, contain, recover and learn from cyber security incidents impacting their technology assets, including incidents originating at third-party providers.

As part of your broader incident management strategy, Prevalent ensures that your third-party incident response program enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor security incidents.

Key capabilities in a third-party incident response service include:

  • Continuously updated and customizable event and incident management questionnaires.
  • Real-time questionnaire completion progress tracking.
  • Defined risk owners with automated chasing reminders to keep surveys on schedule.
  • Proactive vendor reporting.
  • Consolidated views of risk ratings, counts, scores and flagged responses for each vendor.
  • Workflow rules to trigger automated playbooks to act on risks according to their potential impact on the business.
  • Built-in reporting templates for internal and external stakeholders.
  • Guidance from built-in remediation recommendations to reduce risk.
  • Data and relationship mapping to identify relationships between your organization and third, fourth or Nth parties to visualize information paths and reveal at-risk data.

Also, Prevalent leverages databases that contain several years of data breach history for thousands of companies around the world – including types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.

Armed with these insights, your team can better understand the scope and impact of the incident; what data was involved; whether the third party’s operations were impacted; and when remediations have been completed – all by leveraging Prevalent experts.

Recursos adicionales

Blog

La APDP y la gestión de riesgos de terceros

Blog

Lista de comprobación del cumplimiento del GDPR para la gestión de riesgos de terceros

Blog

Lista de comprobación del cumplimiento de la CCPA y la CPRA para la gestión de riesgos de terceros

Guía

Alinee su programa TPRM con CCPA, GDPR, HIPAA y más

Ver más recursos

Potenciar. Automatizar. Elevar. Mitratech

©2025 Mitratech, Inc. Todos los derechos reservados.

Potenciar. Automatizar. Elevar. Mitratech

©2025 Mitratech, Inc. Todos los derechos reservados.