Guideline B-13 sees Canada’s Office of the Superintendent of Financial Institutions (OSFI) establishing new requirements for federally regulated financial institutions (FRFIs) regarding technology and cyber risk management governance. 

Effective since January 1, 2024, Guideline B-13 is a response not only to escalating cyber threats but also a recognition of the critical role technology plays in day-to-day operations. It emphasizes a comprehensive approach that includes technology strategy and framework definition, while also requiring documented processes and roadmaps in areas such as legacy technology management, software development lifecycle, project management, data management, and other key aspects of operational resilience.

Guideline B-13 rises a step above related regulations and guidelines for a number of reasons:

• It provides a focused and flexible governance guideline for managing technology and cyber risks, whereas established technology governance frameworks such as COBIT 2019 are broader and more comprehensive with objectives that span governance, alignment with business, service delivery, and continuous monitoring and evaluation.
  
• It aligns with global trends yet also acknowledges the unique nature of the Canadian financial sector. While flexibility might pose some challenges around clarity and compliance, it allows institutions to tailor their governance practices effectively. Additionally, B-13 is part of a broader regulatory effort to enhance cyber and technological resilience, including legislative reforms proposed by Bill C-27 and Bill C-26, aimed at updating privacy laws and introducing new cybersecurity requirements.
  
• It marks a critical step in strengthening the governance of technology and cyber risks within Canada's financial sector, ensuring institutions are equipped to manage emerging threats and maintain trustworthiness and operational resilience in the digital era.
  
  

WHAT ARE GUIDELINE B-13’S INTENDED OUTCOMES?

Guideline B-13 aims to strike a balance between flexibility and greater resilience to technology and cyber risks, and expands on parts of existing related guidelines, including the Corporate Governance Draft Guideline E-21 (Operational Resilience and Operational Risk Management), B-10 (Third-Party Risk Management) and OSFI’s Cyber Security Self-Assessment Tool and Incident Reporting Advisory. 

Guideline B-13 sets out three key outcomes for successful technology governance.

• Governance and Risk Management. Technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks.
  
• Technology Operations and Resilience. Technology environments are stable, scalable and resilient. The environment is kept current and supported by robust and sustainable technological operating and recovery processes.
  
• Cybersecurity. A secure technology posture is in place and maintains the confidentiality, integrity and availability of a financial institution’s technology assets.
  
  

HOW CAN FRFIs ACHIEVE B-13’S INTENDED OUTCOMES?

To achieve the desired governance outcomes on an ongoing basis, FRFIs should first and foremost assess their current maturity across the entire scope of Guideline B-13.
By identifying opportunity areas in relation to specific parameters across governance and risk management, technology operations and resilience, and cybersecurity, business leaders can more strategically allocate their efforts towards enhancing technology and cybersecurity capabilities in line with IT maturity parameters, which are recognized by regulators and aligned with peers. 

Once that maturity is established, FRFIs should regularly carry out the following activities to bolster their technology and cybersecurity postures:

• Determine risk tolerance and risk-based frameworks.
  
• Assess technology risks and maturity against best practices and regulations.
  
• Implement effective risk management practices that consider cybersecurity risks and organizational, legal and technical measures.
  
• Manage performance and incidents through accurate risk reporting and regular review and testing of business continuity and incident response plans.
  
  

HOW CAPCO CAN HELP 

Determining the risk maturity of your business and implementing enhancements can be an arduous process. Drawing on our deep insurance, wealth asset management, technology and regulatory experience, we can support FRFIs in the following areas:

• Assessing maturity against the latest regulations, best practices and standards.
  
• Conducting risk assessments across current and potential technology and cybersecurity risks.
  
• Designing and implementing robust governance and risk management frameworks.
  
• Facilitating complex organizational changes, providing a systematic approach to dealing with the transition to existing governance operating models.