How will the updates to OSFI guidelines B-10 and B-13 help financial institutions mitigate new risks?
How will the updates to OSFI guidelines B-10 and B-13 help financial institutions mitigate new risks?
Financial institutions are facing a myriad of risks in today’s landscape — including cybersecurity risks and operational risks. The Office of the Superintendent of Financial Institutions (OSFI) recently updated its guidelines to address new threats, including:
- Third-party risk management,
- Cybersecurity and technology risk,
- Operational risk and resilience, and
- Technology and cybersecurity incident reporting advisory.
These guidelines apply to federally regulated financial institutions. However, provincially regulated financial institutions can also benefit from reviewing the updated guidelines and using them as waypoints to guide organizational decision-making.
Numerous threats are facing financial institutions today — including operational, cybersecurity, technology, and third-party risks. Failing to address them can cause business disruptions, legal and financial liabilities, or reputational damages to your organization. What steps can you take to successfully mitigate evolving risks in today’s financial services landscape?
The Office of the Superintendent of Financial Institutions (OSFI) is at the forefront of trends in the industry, and recently updated its guidelines to help financial institutions address new risks. These guidelines apply to federally regulated financial institutions (FRFIs) — however, they reflect some of the most pressing threats across the financial services industry today. Both federally and provincially regulated financial institutions can benefit from reviewing the updated OSFI guidelines and using those insights to develop a comprehensive risk mitigation strategy.
What are the OSFI guidelines?
OSFI is an independent agency of the Government of Canada with the mandate to regulate and supervise more than 400 financial institutions and 1200 pension plans. It provides oversight and issues guidelines to govern the operations of FRFIs in areas such as risk management and compliance.
OSFI recently updated guideline B-10 for third-party risk management as well as guideline B-13 for cybersecurity and technology risk. It also revised its Technology and Cybersecurity Incident Reporting Advisory and proposed updates to guideline E-21 to mitigate operational risks.
FRFIs must follow these guidelines to appropriately address and mitigate risks to their organization. While provincially regulated financial institutions are not required to align with the OSFI guidelines, regulators such as the Financial Services Regulatory Authority of Ontario (FSRA) has also updated its requirements. Therefore, it may be beneficial for provincially regulated financial institutions to also review these updates and use them to help guide organizational decision-making around risk mitigation.
B-10: Third-party risk management
OSFI updated guideline B-10 to expand the definition of a third party to any individual or entity that has a relationship with your financial institution. This may include sponsorships, spokespeople, or charities that your organization works with — and will have a significant impact on how your organization identifies, assesses, and mitigates third-party risks.
The updates to B-10 also include guidelines to address concentration risk, where your organization relies on the same vendor to provide multiple products or services. The updated guidelines will require your organization to identify and assess concentration risk both before entering an agreement and on an ongoing basis. This will help it determine the appropriate level of mitigation.
Additionally, the updated guideline requires the standardization of contracts to clearly define and manage your financial institution’s relationships with third parties.
B-13: Cybersecurity and technology risk
OSFI updated guideline B-13 to help FRFIs mitigate cybersecurity and technology risks. These updates introduce new governance requirements to the organizational structure of your IT department — including all operational departments and technology control owners.
The B-13 guideline now also requires your financial institution to establish a clear cybersecurity strategy. This strategy must be aligned with your IT strategy as well as the overall strategy of your organization. It also includes the assessment of third-party vendor risk for outsourced technology and technology processes.
B-13 now requires FRFIs to embed cybersecurity practices within project management and system development lifecycles. Additionally, your organization must provide proper user training for technology, applications, and infrastructure under the new guideline. This will help ensure your employees are aware of cyber risks and understand how to address them.
Enterprise Risk
E-21: Operational risk and resilience
OSFI also proposed updates to guideline E-21 to include not only operational risk but also operational resilience. These proposed changes are currently available for review and feedback on the OSFI website before the updates are finalized.
If guideline E-21 is updated, your financial institution will not only be required to assess its people, processes, and technology to address operational risks — but also develop a resiliency strategy. This will include considerations such as the continuity of operations and funds in the case of operational disruptions.
Updates to OSFI Technology and Cybersecurity Incident Reporting Advisory
The updated OSFI guidelines now define a technology or cybersecurity incident as any incident that has an impact — or a potential impact — on the operations of a financial institution. This includes its confidentiality, integrity, or the availability of its systems and information. Examples of reportable incidents include cyberattacks, technology failure at a data centre, third party breaches, or extortion threats.
FRFIs must report a technology or cybersecurity incident to OSFI’s Technology Risk Division, as well as their OSFI lead supervisor, within 24 hours under this advisory. Those impacted by a technology or cybersecurity incident are now required to provide regular updates to OSFI as new information becomes available.
The advisory also requires affected financial institutions to provide short-term and long-term remediation actions and plans until the incident is resolved. Additionally, an incident report and lessons learned must be provided to OSFI after the incident is contained.
Is your organization prepared to mitigate new risks?
It is critical to take the right steps to address the risks facing financial institutions today to avoid disruptions to your operations and prevent reputational damages. The updated OSFI guidelines can help your organization navigate this new risk landscape and protect it from threats — no matter whether it is a federally or provincially regulated financial institution.
For more information, contact a member of MNP’s Enterprise Risk Services team. We have the experience to implement strategies that position your organization for long-term success and are committed to helping you protect your people, your reputation, and your bottom line.
Insights
-
Performance
April 26, 2024
How can small business owners navigate the people puzzle?
How can you address people issues as a small business owner? These steps can help you overcome obstacles and give you more time to focus on your business.
-
Performance
April 24, 2024
How monitoring your results can help you make informed decisions for your manufacturing business
How can you make informed decisions to support the future of your manufacturing business? These tools can help you achieve the right results.
-
Confidence
April 17, 2024
Following these steps will protect your practice value if emergency strikes
You can’t predict the future, but building a plan helps to keep your business protected.
