OSFI B-13 is a guideline issued by the Office of the Superintendent of Financial Institutions (OSFI) in Canada that outlines risk management requirements for developing greater resilience to technology and cyber risks – including those posted by third parties. Similar to Guideline B-10, which addresses outsourcing, Guideline B-13 applies to all federally regulated financial institutions (FRFIs), including foreign bank branches and foreign insurance company branches operating in Canada.
Initially issued in July 2022, Guideline B-13 is organized into three domains, each with a desired outcome contributing to resilience against technology and cyber risks. Outcomes are supported by 17 Principles, which are supported by individual guidelines.
OSFI B-13 and Third-Party Risk Management
Regarding third-party risk management, Guideline B-13 emphasizes the need for financial institutions to implement comprehensive strategies to manage risks associated with outsourcing and third-party relationships. The table below summarizes the third-party risk management-specific guidelines in B-13 and provides best practice recommendations to address the requirements.
NOTE: This table summarizes only third-party risk-specific requirements. For a full list of all requirements and principles, please consult the complete OSFI guidelines.
| Principles | TPRM Best Practices |
|---|---|
| Domain: Governance and risk management
This domain sets OSFI’s expectations for the formal accountability, leadership, organizational structure and framework used to support risk management and oversight of technology and cyber security. Outcome: Technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks. |
|
| Principle 1: Senior Management should assign responsibility for managing technology and cyber risks to senior officers. It should also ensure an appropriate organizational structure and adequate resourcing are in place for managing technology and cyber risks across the FRFI.
Principle 2: FRFIs should define, document, approve and implement a strategic technology and cyber plan(s). The plan(s) should align to business strategy and set goals and objectives that are measurable and evolve with changes in the FRFI’s technology and cyber environment. |
Seek out experts to collaborate with your team on defining and implementing TPRM processes and solutions in the context of your overall risk management approach; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence to termination and offboarding.
As part of this process, you should define: * Clear roles and responsibilities (e.g., RACI). |
| Principle 3: FRFIs should establish a technology and cyber risk management framework (RMF). The framework should set out a risk appetite for technology and cyber risks and define FRFI’s processes and requirements to identify, assess, manage, monitor and report on technology and cyber risks. | See out a risk management solution that features a large library of framework-specific risk assessments – such as ISO, NIST, or others. Leverage pre-built, framework-specific risk assessments to simplify controls mapping and reporting. A chosen framework should align with enterprise-level risk management requirements.Best Practices for Addressing Guideline OSFI B-13 Requirements |
| Domain: Technology operations and resilience
This domain sets OSFI’s expectations for “management and oversight of risks related to the design, implementation, management and recovery of technology assets and services. Outcome: A technology environment that is stable, scalable and resilient. The environment is kept current and supported by robust and sustainable technology operating and recovery processes. |
|
| Principle 7: FRFIs should implement a System Development Life Cycle (SDLC) framework for the secure development, acquisition and maintenance of technology systems that perform as expected in support of business objectives. | As part of the due diligence process, require vendors to provide updated software bills of materials (SBOMs) for their software products. This will help you identify any potential vulnerabilities or licensing issues that may impact your organization’s security and compliance posture. |
| Principle 10: FRFIs should effectively detect, log, manage, resolve, monitor and report on technology incidents and minimize their impacts. | Continuously track and analyze external threats to third parties. As part of this, monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.
Monitoring sources should include: All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives. Une fois que toutes les données d'évaluation et de suivi sont corrélées dans un registre central des risques, il convient d'attribuer une note aux risques et de les classer par ordre de priorité en fonction d'un modèle de probabilité et d'impact. Ce modèle doit encadrer les risques dans une matrice, de sorte que vous puissiez facilement voir les risques ayant l'impact le plus élevé et prioriser les efforts de remédiation sur ceux-ci. Attribuer des responsables et assurer le suivi des risques et des mesures correctives jusqu'à un niveau acceptable pour l'entreprise. |
| Principle 11: FRFIs should develop service and capacity standards and processes to monitor operational management of technology, ensuring business needs are met. | Continually evaluate the effectiveness of your TPRM program according to changing business needs and priorities, measuring third-party vendor key performance indicators (KPIs) and key risk indicators (KRIs) through the relationship lifecycle. |
| Domain: Cyber security
This domain sets OSFI’s expectations for “management and oversight of cyber risk. Outcome: A secure technology posture that maintains the confidentiality, integrity and availability of the FRFI’s technology assets. |
|
| Principle 14: FRFIs should maintain a range of practices, capabilities, processes and tools to identify and assess cyber security for weaknesses that could be exploited by external and insider threat actors. | Look for solutions that feature a large library of pre-built templates for third-party risk assessments. Assessments should be conducted at the time of supplier onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually) depending on material changes in the relationship. Assessments should be managed centrally and be backed by workflow, task management and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle.Importantly, a TPRM solution should include built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.As part of this process, continuously track and analyze external threats to third parties. All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives.Guideline B-13 requirements are part of a broader framework aimed at ensuring that financial institutions manage technology and cyber risk effectively, especially in a landscape where third-party services are increasingly used. Start your journey to compliance with these practices: |
| Principle 17: FRFIs should respond to, contain, recover and learn from cyber security incidents impacting their technology assets, including incidents originating at third-party providers. | As part of your broader incident management strategy ensure that your third-party incident response program enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor security incidents.
Key capabilities in a third-party incident response service include: Pensez également à exploiter les bases de données qui contiennent plusieurs années d'historique des violations de données pour des milliers d'entreprises dans le monde - y compris les types et les quantités de données volées ; les questions de conformité et de réglementation ; et les notifications en temps réel des fournisseurs en cas de violation de données. Forte de ces informations, votre équipe peut mieux comprendre la portée et l'impact de l'incident, les données concernées, l'impact sur les opérations du tiers et la date à laquelle les mesures correctives ont été prises, le tout en faisant appel à des experts. Due Diligence: Conduct thorough pre-contract due diligence before entering into relationships with third parties. This includes assessing the third party’s financial stability, reputation, and the adequacy of their cybersecurity measures. |
- Third-Party Contracts: Include specific terms in third-party contracts that address technology and cyber risk. This includes clauses related to data protection, the right to audit, adherence to key performance indicators and key risk thresholds, and incident response requirements.
- Risk Assessments: Conduct regular risk assessments
to understand the potential risks that third parties may pose, mainly related to technology and cybersecurity. This should include assessing how third parties handle data and the potential impact of disruptions or data breaches. - Monitoring and Reporting: Continuously monitor for cyber risks, third-party performance, and adherence to contractual agreements. They should have processes to report and promptly address any issues or breaches.
- Incident Management and Response: Ensure third parties have adequate incident management and response plans. This includes clear communication channels and protocols for responding to cyber incidents.
- Business Continuity and Contingency Planning:
Ensure third parties have robust business continuity plans that align with the institution’s contingency plans. This helps to ensure the continuity of critical services in the event of disruptions. - Termination and Exit Strategies: Establish clear strategies and procedures for terminating third-party relationships and ensuring a smooth transition without compromising security or service continuity.
Next Steps for OSFI B-13 Compliance
OSFI Guideline B-13 provides a comprehensive framework for ensuring resilience against technology and cyber risks – including those posed by third parties. If your organization is examining its business resilience practices, download our OSFI B-13 compliance checklist or contact Prevalent to request a demonstration.
Note de l'éditeur : cet article a été publié à l'origine sur Prevalent.net. En octobre 2024, Mitratech a fait l'acquisition de la société Prevalent, spécialisée dans la gestion des risques liés aux tiers et basée sur l'IA. Le contenu a depuis été mis à jour pour inclure des informations alignées sur nos offres de produits, les changements réglementaires et la conformité.
