#CyberFLASH: Canada – OSFI Releases Cyber Security Self-Assessment Guidance for Federally Regulated Financial Institutions

cyber security self-assessment

OSFI released Cyber Security Self-Assessment Guidance (the Guidance) for federally regulated financial institutions (FRFIs). While the Guidance only applies to FRFIs, service providers to FRFIs will feel a “trickle-down” effect and, therefore, should familiarize themselves with the Guidance.

With cyber attacks becoming more frequent and more sophisticated, cyber security has grown in importance internationally, as well as in Canada, in recent years. Earlier this spring, in response to its growing concerns regarding “the rapid evolution of cyber attacks in terms of frequency, fire power and targets,” the Office of the Superintendent of Financial Institutions (OSFI) identified cyber risk as one of its top priorities and indicated that one of OSFI’s new initiatives would be the “in-depth review of institutions’ current cyber protection practices.”

OSFI, Canada’s federal financial institutions regulator, indicates in the Guidance that it “expects FRFI Senior Management to review cyber risk management policies and practices to ensure that they remain appropriate and effective in light of changing circumstances and risks.” The purpose of the Guidance, as explained by OSFI, is to assist FRFIs to assess their current level of preparedness to address cyber security risks and to develop and maintain effective cyber security practices.

Unlike the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Preliminary Cybersecurity Framework, which was released for public comment on October 22, 2013, the Guidance does not prescribe a common language or mechanism for FRFIs to control and manage cyber security risk nor does it expressly build on existing standards, guidance and best practices for managing cyber security risk. In fact, in the Guidance, OSFI indicates that it “does not currently plan to establish specific guidance for the control and management of cyber risk.

Rather, the Guidance sets forth an 11-page self-assessment template that sets out “desirable properties and characteristics of cyber security practices that could be considered by a FRFI when assessing the adequacy of its cyber security framework and when planning enhancements to its framework.”

Read more Mondaq (registered)

About canux
© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.