On October 28 2013 the Office of the Superintendent of Financial Institutions Canada (OSFI), the federal regulator of insurers, deposit-taking institutions and loan and trust companies, released a memorandum and self-assessment guideline for federally regulated financial institutions (FRFIs) to assist with assessing, developing and maintaining effective cyber security practices. OSFI expects senior management of FRFIs to review cyber risk management policies to ensure that they remain effective in light of changing circumstances and risks.
OSFI cites the increased frequency and sophistication of recent cyber attacks, the increasing reliance on technology, the interconnectedness of the financial sector and the critical role that FRFIs play in the economy as reasons why FRFIs are expected to have an appropriate and effective cyber management policy.
OSFI's template sets out certain properties and characteristics of cyber security practices that a FRFI can use when assessing and planning enhancements to its cyber security framework. OSFI encourages FRFIs to reflect their existing cyber security practices, rather than their target practices, and to consider cyber security on an enterprise-wide basis. OSFI suggests that FRFIs rate their current degree of maturity on a scale of one to four (four being fully implemented and one being not implemented). The six categories of assessment are as follows:
- Organisation and resources - whether the FRFI has established clear accountability and ownership of, and financial resources for, the cyber security framework, including whether there are cyber security staff properly screened and trained.
Cyber risk and control -
- Whether the FRFI has proper processes to conduct regular and comprehensive cyber risk assessment, including assessments of outsourcing arrangements and critical IT service providers; and
- whether the FRFI undertakes regular vulnerability scans, testing with third-party cyber mitigation services and simulation exercises.
Situational awareness -
- whether the FRFI maintains a knowledge base of users, devices and applications and their relationships to software, hardware and the FRFI network;
- whether the FRFI properly records and stores a history of security event information, conducts automated analysis of security events and conducts additional expert analysis; and
- whether the FRFI monitors and tracks security incidents in the financial services industry and more broadly where relevant.
Threat and vulnerability risk management -
- whether the FRFI has tools implemented to prevent unauthorised data from leaving the institution, monitoring outgoing traffic and properly safeguarding data;
- whether the FRFI has installed standard security tools; and
- whether there are proper methods of defence to prevent distributed denial-of-service attacks and the proper tools implemented to secure mobile devices and wireless networks.
Cyber security incident management -
- whether the FRFI has the ability to monitor, analyse and quickly respond to material cyber security incidents;
- whether there are appropriate internal and external communication plans in place to address cyber security incidents; and
- whether there are appropriate post-incident review processes.
Cyber security governance -
- whether the FRFI has the appropriate enterprise-wide policies, risk management procedures, auditing and external benchmarks of such policies and procedures; and
- whether there is proper oversight from senior management and board of directors.
OSFI recognises that many FRFIs are likely to have their own internal assessment process for such cyber-security related procedures already. The OSFI memo and guidelines are provided to assist in FRFI self-assessment activities and OSFI states that it does not plan on establishing specific guidance for control and management of cyber risk. However, OSFI has indicated that it may request an FRFI to complete the template or otherwise emphasise cyber-security practices during future supervisory assessments, which it describes as in line with its enhanced focus on cyber security as highlighted in its Plan and Priorities for 2013-2016.
For further information on this topic please contact Pat Forgione, Stephanie M Robinson or Sean Brandreth at McMillan LLP by telephone (+1 416 865 7000), fax (+1 416 865 7048) or email (firstname.lastname@example.org, email@example.com or firstname.lastname@example.org) . The McMillan LLP website can be accessed at www.mcmillan.ca.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.