financial team reviewing documents

How will the updates to OSFI guidelines B-10 and B-13 help financial institutions mitigate new risks?

How will the updates to OSFI guidelines B-10 and B-13 help financial institutions mitigate new risks?

4 Minute Read

Financial institutions are facing a myriad of risks in today’s landscape — including cybersecurity risks and operational risks. The Office of the Superintendent of Financial Institutions (OSFI) recently updated its guidelines to address new threats, including:

  • Third-party risk management,
  • Cybersecurity and technology risk,
  • Operational risk and resilience, and
  • Technology and cybersecurity incident reporting advisory.

These guidelines apply to federally regulated financial institutions. However, provincially regulated financial institutions can also benefit from reviewing the updated guidelines and using them as waypoints to guide organizational decision-making.

Senior Manager, Enterprise Risk Services
Partner, National Leader, Internal Audit Services
Senior Manager, Enterprise Risk Services

Numerous threats are facing financial institutions today — including operational, cybersecurity, technology, and third-party risks. Failing to address them can cause business disruptions, legal and financial liabilities, or reputational damages to your organization. What steps can you take to successfully mitigate evolving risks in today’s financial services landscape?

The Office of the Superintendent of Financial Institutions (OSFI) is at the forefront of trends in the industry, and recently updated its guidelines to help financial institutions address new risks. These guidelines apply to federally regulated financial institutions (FRFIs) — however, they reflect some of the most pressing threats across the financial services industry today. Both federally and provincially regulated financial institutions can benefit from reviewing the updated OSFI guidelines and using those insights to develop a comprehensive risk mitigation strategy.

What are the OSFI guidelines?

OSFI is an independent agency of the Government of Canada with the mandate to regulate and supervise more than 400 financial institutions and 1200 pension plans. It provides oversight and issues guidelines to govern the operations of FRFIs in areas such as risk management and compliance.

OSFI recently updated guideline B-10 for third-party risk management as well as guideline B-13 for cybersecurity and technology risk. It also revised its Technology and Cybersecurity Incident Reporting Advisory and proposed updates to guideline E-21 to mitigate operational risks.

FRFIs must follow these guidelines to appropriately address and mitigate risks to their organization. While provincially regulated financial institutions are not required to align with the OSFI guidelines, regulators such as the Financial Services Regulatory Authority of Ontario (FSRA) has also updated its requirements. Therefore, it may be beneficial for provincially regulated financial institutions to also review these updates and use them to help guide organizational decision-making around risk mitigation.

B-10: Third-party risk management

OSFI updated guideline B-10 to expand the definition of a third party to any individual or entity that has a relationship with your financial institution. This may include sponsorships, spokespeople, or charities that your organization works with — and will have a significant impact on how your organization identifies, assesses, and mitigates third-party risks.

The updates to B-10 also include guidelines to address concentration risk, where your organization relies on the same vendor to provide multiple products or services. The updated guidelines will require your organization to identify and assess concentration risk both before entering an agreement and on an ongoing basis. This will help it determine the appropriate level of mitigation.

Additionally, the updated guideline requires the standardization of contracts to clearly define and manage your financial institution’s relationships with third parties.

B-13: Cybersecurity and technology risk

OSFI updated guideline B-13 to help FRFIs mitigate cybersecurity and technology risks. These updates introduce new governance requirements to the organizational structure of your IT department — including all operational departments and technology control owners.

The B-13 guideline now also requires your financial institution to establish a clear cybersecurity strategy. This strategy must be aligned with your IT strategy as well as the overall strategy of your organization. It also includes the assessment of third-party vendor risk for outsourced technology and technology processes.

B-13 now requires FRFIs to embed cybersecurity practices within project management and system development lifecycles. Additionally, your organization must provide proper user training for technology, applications, and infrastructure under the new guideline. This will help ensure your employees are aware of cyber risks and understand how to address them.

Enterprise Risk

You’re navigating an increasingly unpredictable business environment. We provide strategies and solutions to help you turn risk into a competitive advantage.

E-21: Operational risk and resilience

OSFI also proposed updates to guideline E-21 to include not only operational risk but also operational resilience. These proposed changes are currently available for review and feedback on the OSFI website before the updates are finalized.

If guideline E-21 is updated, your financial institution will not only be required to assess its people, processes, and technology to address operational risks — but also develop a resiliency strategy. This will include considerations such as the continuity of operations and funds in the case of operational disruptions.

Updates to OSFI Technology and Cybersecurity Incident Reporting Advisory

The updated OSFI guidelines now define a technology or cybersecurity incident as any incident that has an impact — or a potential impact — on the operations of a financial institution. This includes its confidentiality, integrity, or the availability of its systems and information. Examples of reportable incidents include cyberattacks, technology failure at a data centre, third party breaches, or extortion threats.

FRFIs must report a technology or cybersecurity incident to OSFI’s Technology Risk Division, as well as their OSFI lead supervisor, within 24 hours under this advisory. Those impacted by a technology or cybersecurity incident are now required to provide regular updates to OSFI as new information becomes available.

The advisory also requires affected financial institutions to provide short-term and long-term remediation actions and plans until the incident is resolved. Additionally, an incident report and lessons learned must be provided to OSFI after the incident is contained.

Is your organization prepared to mitigate new risks?

It is critical to take the right steps to address the risks facing financial institutions today to avoid disruptions to your operations and prevent reputational damages. The updated OSFI guidelines can help your organization navigate this new risk landscape and protect it from threats — no matter whether it is a federally or provincially regulated financial institution.

For more information, contact a member of MNP’s Enterprise Risk Services team. We have the experience to implement strategies that position your organization for long-term success and are committed to helping you protect your people, your reputation, and your bottom line.


  • Progress

    Your farm succession plan isn’t complete until it exists in writing

    The average age of farmers in Canada is increasing. Having a written succession plan becomes more important as you age, to help secure your legacy, protect your farm operation, and reduce conflict.

  • Progress

    How SMARTPro Helps Enhance Practice Value

    Learn how to get your practice into a ready state for a sale with SMARTPro.

  • April 10, 2024

    Unlock board value: key strategies for strong governance

    In the face of ever-present change and rapidly evolving challenges, having a solid board of directors can be a game-changer for your organization.