OSFI Guideline B-13 Compliance and Third-Party Risk Management

OSFI B-13 is a guideline issued by the Office of the Superintendent of Financial Institutions (OSFI) in Canada that outlines risk management requirements for developing greater resilience to technology and cyber risks – including those posted by third parties. Similar to Guideline B-10, which addresses outsourcing, Guideline B-13 applies to all federally regulated financial institutions (FRFIs), including foreign bank branches and foreign insurance company branches operating in Canada.

Initially issued in July 2022, Guideline B-13 is organized into three domains, each with a desired outcome contributing to resilience against technology and cyber risks. Outcomes are supported by 17 Principles, which are supported by individual guidelines.

OSFI B-13 and Third-Party Risk Management

Regarding third-party risk management, Guideline B-13 emphasizes the need for financial institutions to implement comprehensive strategies to manage risks associated with outsourcing and third-party relationships. The table below summarizes the third-party risk management-specific guidelines in B-13 and provides best practice recommendations to address the requirements.

NOTE: This table summarizes only third-party risk-specific requirements. For a full list of all requirements and principles, please consult the complete OSFI guidelines.

Best Practices for Addressing Guideline OSFI B-13 Requirements

Guideline B-13 requirements are part of a broader framework aimed at ensuring that financial institutions manage technology and cyber risk effectively, especially in a landscape where third-party services are increasingly used. Start your journey to compliance with these practices:

• Due Diligence: Conduct thorough pre-contract due diligence before entering into relationships with third parties. This includes assessing the third party’s financial stability, reputation, and the adequacy of their cybersecurity measures.
• Third-Party Contracts: Include specific terms in third-party contracts that address technology and cyber risk. This includes clauses related to data protection, the right to audit, adherence to key performance indicators and key risk thresholds, and incident response requirements.
• Risk Assessments: Conduct regular risk assessments
  to understand the potential risks that third parties may pose, mainly related to technology and cybersecurity. This should include assessing how third parties handle data and the potential impact of disruptions or data breaches.
• Monitoring and Reporting: Continuously monitor for cyber risks, third-party performance, and adherence to contractual agreements. They should have processes to report and promptly address any issues or breaches.
• Incident Management and Response: Ensure third parties have adequate incident management and response plans. This includes clear communication channels and protocols for responding to cyber incidents.
• Business Continuity and Contingency Planning:
  Ensure third parties have robust business continuity plans that align with the institution’s contingency plans. This helps to ensure the continuity of critical services in the event of disruptions.
• Termination and Exit Strategies: Establish clear strategies and procedures for terminating third-party relationships and ensuring a smooth transition without compromising security or service continuity.

Next Steps for OSFI B-13 Compliance

OSFI Guideline B-13 provides a comprehensive framework for ensuring resilience against technology and cyber risks – including those posed by third parties. If your organization is examining its business resilience practices, download our OSFI B-13 compliance checklist or contact Prevalent to request a demonstration.