On October 28, 2013 the Office of the Superintendent of Financial Institutions Canada ("OSFI") released a memorandum and self-assessment guideline for Federally Regulated Financial Institutions ("FRFIs") to assist with assessing, developing, and maintaining effective cyber security practices.1 OSFI expects senior management of FRFIs to review cyber risk management policies to ensure they remain effective in light of changing circumstances and risks.

OSFI cites the increased frequency and sophistication of recent cyber-attacks, the increasing reliance on technology, the interconnectedness of the financial sector and the critical role that FRFIs play in the economy as reasons why FRFIs are expected to have an appropriate and effective cyber management policy.

Cyber security self-assessment template

OSFI's template sets out certain desirable properties and characteristics of cyber security practices that a FRFI could use when assessing and planning enhancements to their cyber security framework. OSFI encourages FRFIs to reflect their current state of cyber security practices, rather than their target state, and to consider cyber security on an enterprise-wide basis. OSFI suggests that FRFIs rate their current degree of maturity on a scale of 1 to 4 (4 being fully implemented; 1 being not implemented). The six categories of assessment are:

  1. organization and resources: whether the FRFI has established clear accountability and ownership of, and financial resources for, the cyber security framework including whether there are cyber security staff properly screened and trained.
  2. cyber risk and control: whether the FRFI has proper processes to conduct regular and comprehensive cyber risk assessment including assessments of outsourcing arrangements and critical IT service providers and whether the FRFI undertakes regular vulnerability scans, testing with third party cyber mitigation services and simulation exercises.
  3. situational awareness: whether the FRFI maintains a knowledge base of users, devices and applications and their relationships to software, hardware and the FRFI network; whether the FRFI properly records and stores a history of security event information, conducts automated analysis of security events, conducts additional expert analysis, and whether the FRFI monitors and tracks security incidents in the financial services industry and more broadly where relevant.
  4. threat and vulnerability risk management: whether the FRFI has tools implemented to prevent unauthorized data from leaving the institution, monitoring outgoing traffic and properly safeguarding data; whether the FRFI has installed standard security tools and whether there are proper methods of defence to prevent DDos attacks and the proper tools implemented to secure mobile devices and wireless networks.
  5. cyber security incident management: whether the FRFI has the ability to monitor, analyze, and quickly respond to material cyber security incidents; whether there are appropriate internal and external communication plans in place to address cyber security incidents; and whether there are appropriate post-incident review processes.
  6. cyber security governance: whether the FRFI has the appropriate enterprise-wide policies, risk management procedures, auditing, and external benchmarks of such policies and procedures; whether there is proper oversight from senior management and board of directors.

Conclusion:

OSFI recognizes that many FRFIs likely already have their own internal assessment process for such cyber-security related procedures. The OSFI memo and guideline are provided to assist in FRFI self-assessment activities and OSFI states that it does not currently plan on establishing specific guidance for control and management of cyber risk. However, OSFI has indicated that it may request a FRFI to complete the template or otherwise emphasize cyber-security practices during future supervisory assessments, which it describes as is in line with its enhanced focus on cyber security as highlighted in its Plan and Priorities for 2013-2016.2