OSFI Guideline B-13 Compliance and Third-Party Risk Management

Use this best practice guidance to improve resilience against third-party technology and cyber risks.
By:
Scott Lang
,
VP, Product Marketing
August 15, 2024
Share:
2024 Blog OSFI B13

OSFI B-13 is a guideline issued by the Office of the Superintendent of Financial Institutions (OSFI) in Canada that outlines risk management requirements for developing greater resilience to technology and cyber risks – including those posted by third parties. Similar to Guideline B-10, which addresses outsourcing, Guideline B-13 applies to all federally regulated financial institutions (FRFIs), including foreign bank branches and foreign insurance company branches operating in Canada.

Initially issued in July 2022, Guideline B-13 is organized into three domains, each with a desired outcome contributing to resilience against technology and cyber risks. Outcomes are supported by 17 Principles, which are supported by individual guidelines.

OSFI B-13 and Third-Party Risk Management

Regarding third-party risk management, Guideline B-13 emphasizes the need for financial institutions to implement comprehensive strategies to manage risks associated with outsourcing and third-party relationships. The table below summarizes the third-party risk management-specific guidelines in B-13 and provides best practice recommendations to address the requirements.

NOTE: This table summarizes only third-party risk-specific requirements. For a full list of all requirements and principles, please consult the complete OSFI guidelines.

Principles TPRM Best Practices

Domain: Governance and risk management

This domain sets OSFI’s expectations for the formal accountability, leadership, organizational structure and framework used to support risk management and oversight of technology and cyber security.

Outcome: Technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks.

Principle 1: Senior Management should assign responsibility for managing technology and cyber risks to senior officers. It should also ensure an appropriate organizational structure and adequate resourcing are in place for managing technology and cyber risks across the FRFI.

Principle 2: FRFIs should define, document, approve and implement a strategic technology and cyber plan(s). The plan(s) should align to business strategy and set goals and objectives that are measurable and evolve with changes in the FRFI’s technology and cyber environment.

Seek out experts to collaborate with your team on defining and implementing TPRM processes and solutions in the context of your overall risk management approach; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence to termination and offboarding.

As part of this process, you should define:

  • Clear roles and responsibilities (e.g., RACI).
  • Third-party inventories.
  • Risk scoring and thresholds based on your organization’s risk tolerance.
  • Assessment and monitoring methodologies based on third-party criticality.
  • Fourth-party mapping to understand risk in your extended vendor ecosystem.
  • Sources of continuous monitoring data (cyber, business, reputational, financial).
  • Key performance indicators (KPIs) and key risk indicators (KRIs).
  • Governing policies, standards, systems and processes to protect data.
  • Compliance and contractual reporting requirements against service levels
  • Incident response requirements
  • Risk and internal stakeholder reporting
  • Risk mitigation and remediation strategies

Principle 3: FRFIs should establish a technology and cyber risk management framework (RMF). The framework should set out a risk appetite for technology and cyber risks and define FRFI’s processes and requirements to identify, assess, manage, monitor and report on technology and cyber risks.

See out a risk management solution that features a large library of framework-specific risk assessments – such as ISO, NIST, or others. Leverage pre-built, framework-specific risk assessments to simplify controls mapping and reporting. A chosen framework should align with enterprise-level risk management requirements.

Domain: Technology operations and resilience

This domain sets OSFI’s expectations for “management and oversight of risks related to the design, implementation, management and recovery of technology assets and services.

Outcome: A technology environment that is stable, scalable and resilient. The environment is kept current and supported by robust and sustainable technology operating and recovery processes.

Principle 7: FRFIs should implement a System Development Life Cycle (SDLC) framework for the secure development, acquisition and maintenance of technology systems that perform as expected in support of business objectives.

As part of the due diligence process, require vendors to provide updated software bills of materials (SBOMs) for their software products. This will help you identify any potential vulnerabilities or licensing issues that may impact your organization's security and compliance posture.

Principle 10: FRFIs should effectively detect, log, manage, resolve, monitor and report on technology incidents and minimize their impacts.

Continuously track and analyze external threats to third parties. As part of this, monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

Monitoring sources should include:

  • Criminal forums; onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases
  • Databases containing several years of data breach history for thousands of companies around the world

All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives.

Once all assessment and monitoring data is correlated into a central risk register, apply risk scoring and prioritization according to a likelihood and impact model. This model should frame risks into a matrix, so you can easily see the highest impact risks and can prioritize remediation efforts on those.

Assign owners and track risks and remediations to a level acceptable to the business.

Principle 11: FRFIs should develop service and capacity standards and processes to monitor operational management of technology, ensuring business needs are met.

Continually evaluate the effectiveness of your TPRM program according to changing business needs and priorities, measuring third-party vendor key performance indicators (KPIs) and key risk indicators (KRIs) through the relationship lifecycle.

Domain: Cyber security

This domain sets OSFI’s expectations for “management and oversight of cyber risk.

Outcome: A secure technology posture that maintains the confidentiality, integrity and availability of the FRFI’s technology assets.

Principle 14: FRFIs should maintain a range of practices, capabilities, processes and tools to identify and assess cyber security for weaknesses that could be exploited by external and insider threat actors.

Look for solutions that feature a large library of pre-built templates for third-party risk assessments. Assessments should be conducted at the time of supplier onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually) depending on material changes in the relationship.
Assessments should be managed centrally and be backed by workflow, task management and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle.

Importantly, a TPRM solution should include built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.

As part of this process, continuously track and analyze external threats to third parties. All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives.

Principle 17: FRFIs should respond to, contain, recover and learn from cyber security incidents impacting their technology assets, including incidents originating at third-party providers.

As part of your broader incident management strategy ensure that your third-party incident response program enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor security incidents.

Key capabilities in a third-party incident response service include:

  • Continuously updated and customizable event and incident management questionnaires
  • Real-time questionnaire completion progress tracking
  • Defined risk owners with automated chasing reminders to keep surveys on schedule
  • Proactive vendor reporting
  • Consolidated views of risk ratings, counts, scores and flagged responses for each vendor
  • Workflow rules to trigger automated playbooks to act on risks according to their potential impact on the business
  • Built-in reporting templates for internal and external stakeholders
  • Guidance from built-in remediation recommendations to reduce risk
  • Data and relationship mapping to identify relationships between your organization and third, fourth or Nth parties to visualize information paths and reveal at-risk data

Also, consider leveraging databases that contain several years of data breach history for thousands of companies around the world – including types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.

Armed with these insights, your team can better understand the scope and impact of the incident; what data was involved; whether the third party’s operations were impacted; and when remediations have been completed – all by leveraging experts.

Meet OSFI Guidelines and Ensure Business Resilience

Download this comprehensive checklist to understand and address the third-party risk management requirements in OSFI B-13.

Read Now
Feature osfi b13 checklist

Best Practices for Addressing Guideline OSFI B-13 Requirements

Guideline B-13 requirements are part of a broader framework aimed at ensuring that financial institutions manage technology and cyber risk effectively, especially in a landscape where third-party services are increasingly used. Start your journey to compliance with these practices:

  • Due Diligence: Conduct thorough pre-contract due diligence before entering into relationships with third parties. This includes assessing the third party's financial stability, reputation, and the adequacy of their cybersecurity measures.
  • Third-Party Contracts: Include specific terms in third-party contracts that address technology and cyber risk. This includes clauses related to data protection, the right to audit, adherence to key performance indicators and key risk thresholds, and incident response requirements.
  • Risk Assessments: Conduct regular risk assessments to understand the potential risks that third parties may pose, mainly related to technology and cybersecurity. This should include assessing how third parties handle data and the potential impact of disruptions or data breaches.
  • Monitoring and Reporting: Continuously monitor for cyber risks, third-party performance, and adherence to contractual agreements. They should have processes to report and promptly address any issues or breaches.
  • Incident Management and Response: Ensure third parties have adequate incident management and response plans. This includes clear communication channels and protocols for responding to cyber incidents.
  • Business Continuity and Contingency Planning: Ensure third parties have robust business continuity plans that align with the institution’s contingency plans. This helps to ensure the continuity of critical services in the event of disruptions.
  • Termination and Exit Strategies: Establish clear strategies and procedures for terminating third-party relationships and ensuring a smooth transition without compromising security or service continuity.

Next Steps for OSFI B-13 Compliance

OSFI Guideline B-13 provides a comprehensive framework for ensuring resilience against technology and cyber risks – including those posed by third parties. If your organization is examining its business resilience practices, download our OSFI B-13 compliance checklist or contact Prevalent to request a demonstration.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo