OSFI consultation on technology risks in the financial sector [Completed]

Next Effective date:

August 13, 2021

Last up­dated:

August 2021

Overview

    On September 15, 2020, the Office of the Superintendent of Financial Institutions (OSFI) launched a three-month consultation with the publication of a discussion paper, "Developing financial sector resilience in a digital world". The paper focuses on risks arising from rapid technological advancement and digitalization, as these trends impact the stability of the Canadian financial sector.

    This consultation supports OSFI's strategic objective to ensure that federally regulated financial institutions and pension plans are better prepared to identify and develop resilience to non-financial risks before they negatively affect their financial condition. While technology is a key enabler for financial institutions and financial consumers, its widespread use and rapid adoption can pose risks in many different areas of the business if not properly understood and managed.

    Understanding the financial sector's use of technology and how technology risks are managed is central to this consultation. OSFI's discussion paper focuses on the risk areas of cyber security, advanced analytics (artificial intelligence and machine learning), and the use of third party services such as cloud computing.

    OSFI welcomes comments and submissions on the discussion paper by December 15, 2020.

    Review the press release on the OSFI's website.

    On August 13, 2021, OSFI issued updated requirements for technology and cyber incident reporting. The updated Technology and Cyber Security Incident Reporting Advisory (the "Advisory") supports a coordinated and integrated response to technology and cyber security incidents when they occur at FRFIs.

    Under the updated Advisory, FRFIs must report a technology or cyber security incident to OSFI's Technology Risk Division as well as their Lead Supervisor at OSFI within 24 hours, or sooner if possible. Other changes in the Advisory include a new "failure to report" section: if a FRFI does not report a cyber incident, they could be subject to increased supervisory oversight by OSFI, placed on a watch list or assigned one of the stages in OSFI's supervisory intervention approach, among other measures.

    Separately, OSFI also released an updated Cyber Security Self-Assessment ("Self-Assessment") that helps FRFIs gauge and improve their current state of readiness in the face of emerging and expanding cyber threats. The Self-Assessment examines a FRFI's capability to respond to a cyber incident in areas ranging from organization and resources, to how it manages threats, risks and incidents, and allows FRFIs to rate each element on a scale from non-existent to continuous improvement.

    Other developments

    August 2021

    On August 13, 2021, OSFI issued updated requirements for technology and cyber incident reporting. The updated Technology and Cyber Security Incident Reporting Advisory (the "Advisory") supports a coordinated and integrated response to technology and cyber security incidents when they occur at FRFIs.

    October 2020

    On September 15, 2020, OSFI issued a discussion paper, "Developing financial sector resilience in a digital world".  Comments are requested by December 15, 2020.

    Correction list for hyphenation

    These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.