OSFI B-13 is a guideline issued by the Office of the Superintendent of Financial Institutions (OSFI) in Canada that outlines risk management requirements for developing greater resilience to technology and cyber risks – including those posted by third parties. Similar to Guideline B-10, which addresses outsourcing, Guideline B-13 applies to all federally regulated financial institutions (FRFIs), including foreign bank branches and foreign insurance company branches operating in Canada.
Initially issued in July 2022, Guideline B-13 is organized into three domains, each with a desired outcome contributing to resilience against technology and cyber risks. Outcomes are supported by 17 Principles, which are supported by individual guidelines.
Regarding third-party risk management, Guideline B-13 emphasizes the need for financial institutions to implement comprehensive strategies to manage risks associated with outsourcing and third-party relationships. The table below summarizes the third-party risk management-specific guidelines in B-13 and provides best practice recommendations to address the requirements.
NOTE: This table summarizes only third-party risk-specific requirements. For a full list of all requirements and principles, please consult the complete OSFI guidelines.
Principles | TPRM Best Practices |
---|---|
Domain: Governance and risk management This domain sets OSFI’s expectations for the formal accountability, leadership, organizational structure and framework used to support risk management and oversight of technology and cyber security. Outcome: Technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks. |
|
Principle 1: Senior Management should assign responsibility for managing technology and cyber risks to senior officers. It should also ensure an appropriate organizational structure and adequate resourcing are in place for managing technology and cyber risks across the FRFI. Principle 2: FRFIs should define, document, approve and implement a strategic technology and cyber plan(s). The plan(s) should align to business strategy and set goals and objectives that are measurable and evolve with changes in the FRFI’s technology and cyber environment. |
Seek out experts to collaborate with your team on defining and implementing TPRM processes and solutions in the context of your overall risk management approach; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence to termination and offboarding. As part of this process, you should define:
|
Principle 3: FRFIs should establish a technology and cyber risk management framework (RMF). The framework should set out a risk appetite for technology and cyber risks and define FRFI’s processes and requirements to identify, assess, manage, monitor and report on technology and cyber risks. |
See out a risk management solution that features a large library of framework-specific risk assessments – such as ISO, NIST, or others. Leverage pre-built, framework-specific risk assessments to simplify controls mapping and reporting. A chosen framework should align with enterprise-level risk management requirements. |
Domain: Technology operations and resilience This domain sets OSFI’s expectations for “management and oversight of risks related to the design, implementation, management and recovery of technology assets and services. Outcome: A technology environment that is stable, scalable and resilient. The environment is kept current and supported by robust and sustainable technology operating and recovery processes. |
|
Principle 7: FRFIs should implement a System Development Life Cycle (SDLC) framework for the secure development, acquisition and maintenance of technology systems that perform as expected in support of business objectives. |
As part of the due diligence process, require vendors to provide updated software bills of materials (SBOMs) for their software products. This will help you identify any potential vulnerabilities or licensing issues that may impact your organization's security and compliance posture. |
Principle 10: FRFIs should effectively detect, log, manage, resolve, monitor and report on technology incidents and minimize their impacts. |
Continuously track and analyze external threats to third parties. As part of this, monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. Monitoring sources should include:
All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives. Once all assessment and monitoring data is correlated into a central risk register, apply risk scoring and prioritization according to a likelihood and impact model. This model should frame risks into a matrix, so you can easily see the highest impact risks and can prioritize remediation efforts on those. Assign owners and track risks and remediations to a level acceptable to the business. |
Principle 11: FRFIs should develop service and capacity standards and processes to monitor operational management of technology, ensuring business needs are met. |
Continually evaluate the effectiveness of your TPRM program according to changing business needs and priorities, measuring third-party vendor key performance indicators (KPIs) and key risk indicators (KRIs) through the relationship lifecycle. |
Domain: Cyber security This domain sets OSFI’s expectations for “management and oversight of cyber risk. Outcome: A secure technology posture that maintains the confidentiality, integrity and availability of the FRFI’s technology assets. |
|
Principle 14: FRFIs should maintain a range of practices, capabilities, processes and tools to identify and assess cyber security for weaknesses that could be exploited by external and insider threat actors. |
Look for solutions that feature a large library of pre-built templates for third-party risk assessments. Assessments should be conducted at the time of supplier onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually) depending on material changes in the relationship. Importantly, a TPRM solution should include built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors. As part of this process, continuously track and analyze external threats to third parties. All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives. |
Principle 17: FRFIs should respond to, contain, recover and learn from cyber security incidents impacting their technology assets, including incidents originating at third-party providers. |
As part of your broader incident management strategy ensure that your third-party incident response program enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor security incidents. Key capabilities in a third-party incident response service include:
Also, consider leveraging databases that contain several years of data breach history for thousands of companies around the world – including types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications. Armed with these insights, your team can better understand the scope and impact of the incident; what data was involved; whether the third party’s operations were impacted; and when remediations have been completed – all by leveraging experts. |
Meet OSFI Guidelines and Ensure Business Resilience
Download this comprehensive checklist to understand and address the third-party risk management requirements in OSFI B-13.
Guideline B-13 requirements are part of a broader framework aimed at ensuring that financial institutions manage technology and cyber risk effectively, especially in a landscape where third-party services are increasingly used. Start your journey to compliance with these practices:
OSFI Guideline B-13 provides a comprehensive framework for ensuring resilience against technology and cyber risks – including those posed by third parties. If your organization is examining its business resilience practices, download our OSFI B-13 compliance checklist or contact Prevalent to request a demonstration.
Ask your vendors and suppliers about their cybersecurity risk management, governance, and incident disclosure processes to...
10/24/2024
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
09/25/2024
Learn how integrating the NIST Privacy Framework with third-party risk management (TPRM) helps organizations enhance data...
09/12/2024