OSFI – Intelligence Led Cyber Resilience Testing (I-CRT) framework

Effective date:

Issued April 21, 2023

Last updated:

April 2023


On April 21, 2023, the Office of the Superintendent of Financial Institutions (OSFI) released this framework to help identify areas where the financial sector could be vulnerable to sophisticated cyber-attack. The Intelligence Led Cyber Resilience Testing (I-CRT) framework outlines a methodology and serves as an implementation guide for federally regulated financial institutions (FRFIs) conducting I-CRT assessments. 

Under the I-CRT framework, OSFI provides guidance and oversight throughout the assessment, while FRFIs manage overall testing. Consistent with OSFI’s Guideline B-13 – Technology and Cyber Risk Management, OSFI expects FRFIs to have measures in place that create resilience against cyber attacks and disruptions. The I-CRT framework is a supervisory tool that supplements Guideline B-13 with I-CRT assessments that allow FRFIs to proactively identify and address issues with their cyber resilience.

The I-CRT framework currently applies to Canada’s systemically important banks (SIBs) and internationally active insurance groups (IAIGs). OSFI recommends that these institutions conduct an I-CRT assessment at least once during each three-year supervisory cycle, beginning in 2023.

Re­view  the press re­lease and the Framework  on OSFI's Web site.

Recent developments




April 21, 2023

OSFI issued its Intelligence Led Cyber Resilience Testing (I-CRT) framework

For fur­ther de­tails re­fer to the OSFI press re­lease.


Amendments under consideration

  • None

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.