OSFI releases new guideline on technology risk and cyber risk that balances innovation and risk management

OTTAWA, ON, July 13 2022 /CNW/ – The Office of the Superintendent of Financial Institutions (OSFI) is today releasing the final version of Guideline B-13 outlining its expectations for how federally regulated financial institutions (FRFIs) manage risk technology-related and cyber risk, such as data leaks and technology failures.

The widespread use of technology and the increasing number of cyber incidents has precipitated the need for improved regulatory guidance for FRFIs on technology risk and cyber risk management. In the final version of Guideline B-13, OSFI provides guidance while enabling FRFIs to be competitive and take full advantage of digital innovation.

The guideline is organized into three domains, each of which sets out the main components of sound risk management: governance and risk management, technology operations and resilience and cybersecurity. Each of These areas are a desired outcome to help FRFIs understand OSFI’s expectations by emphasizing the “why” and “intended purpose” of technology risk and cyber risk management.

The final version of Guideline B-13 will not come into effect until 1er January 2024 to allow sufficient time for FRFIs to complete a self-assessment and take steps to comply with this new guideline.


“With today’s release of the final version of Guideline B-13, OSFI has shaped a flexible, principles-based approach to managing technology and cyber risk that takes into account the size and nature of financial institutions and the scope and complexity of their activities. »

– Jamey Hubbs, Deputy Superintendent

Quick Facts

  • The final version of the document is the result of an extensive consultation process with sectoral bodies, including the publication, in September 2020, of a working document followed by a consultation period from September to December 2020. OSFI Guideline B-13 study released November 2021; then, from November 2021 to February 2022, OSFI again submitted for consultation its proposed guidance on technology risk and cyber risk. The final version released today is the result of this process.
  • Compared to the version under study that was the subject of a consultation, the final version is a new version that is less prescriptive, simplified, and includes clearer definitions and expectations.
  • Several existing OSFI guidance and tools complement Guideline B-13, including Guideline B-13 Corporate governanceGuideline E-21 Operational risk managementthe revised draft version of Guideline B-10 Third Party Risk Management Guidelinethe notice Reporting of technology and cybersecurity incidents and the tool Cybersecurity self-assessment

Related documents


The Office of the Superintendent of Financial Institutions (OSFI) is an independent federal agency founded in 1987. Its mandate is to protect depositors, policyholders, creditors of financial institutions and members of pension plans, while allowing financial institutions compete and take reasonable risks. OSFI monitors over 400 federally-regulated financial institutions (FRFIs) and over 1,200 federally-regulated pension plans to determine whether they are in sound financial health and comply with applicable regulatory requirements.

SOURCE Office of the Superintendent of Financial Institutions

For further information: Press Relations: OSFI – Public Affairs, [email protected]343-550-9373


Leave a Comment