#CyberFLASH: what’s expected of federally regulated financial institutions

numbersAs federally regulated financial institutions (FRFIs) expand their reliance on technology, employ progressively complicated and interconnected networks and systems, increase their electronic service offerings and collaborate with technology service providers, cybersecurity has become a constant source of concern for FRFIs, as well as their regulators. To safeguard against the potentially far-reaching damage a breach of cybersecurity could inflict upon Canada’s financial sector, the Office of the Superintendent of Financial Institutions (OSFI) has gradually incorporated cybersecurity into its ongoing supervision of risk, often by relying on FRFIs to take the initiative with limited regulator guidance.

2012: OVERSIGHT OF TECHNOLOGY-BASED OUTSOURCING SERVICES

In February 2012, OSFI released a memorandum (2012 Memorandum) reminding FRFIs that the expectations contained in OSFI Guideline B-10: Outsourcing of Business Activities, Functions and Processes (Guideline B-10) “remain current and continue to apply” in respect of technology-based outsourcing services such as cloud computing. The 2012 Memorandum also emphasizes the importance of FRFIs considering their ability to meet the expectations of Guideline B-10 in respect of material technology-based outsourcing arrangements, with an emphasis on: confidentiality, security and separation of property; contingency planning; location of records; access and audit rights; subcontracting; and monitoring.

Although the 2012 Memorandum does not use the phrase “cybersecurity”, it confirms that any risks associated with outsourcing technology-based services are within the scope of OSFI’s existing outsourcing risk management expectations. Rather than targeting particular technologies, developing specific technology guidance or mandating compliance with specific standards (which was not done in Guideline B-10 or the 2012 Memorandum), OSFI relies on the judgment of individual FRFIs to apply existing guidance and risk management principles to technology and cyber risks faced by the FRFI. While this approach allows OSFI to avoid propagating over (or under) inclusive standards that rapidly become obsolete as technology evolves, it can often leave FRFIs unclear as to OSFI’s expectations.

Read more here

About canux
© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.