Planning for the “When” not “If” of a cyber attack: increasing federal oversight of financial institutions’ cyber security practices

The Canadian reinsurance industry, like others, is facing the risk of increasingly frequent and  sophisticated cyber attacks. As a result, regulators are turning increased attention to financial institutions’ overall level of preparedness against such cyber threats. Canada’s federal  financial institutions regulator, the Office of the Superintendent of Financial Institutions  (OSFI)1, has made clear that it expects senior management of all federally regulated financial  institutions (FRFIs) to review cyber risk management policies to ensure they remain effective in  light of changing circumstances and risks. In its recently published paper “Plans and Priorities for 2013-2016” OSFI listed cyber risk as one of the regulator’s top priorities. To this  end, on October 28, 2013, OSFI issued a “Cyber Security Self-Assessment Guidance”’ (the OSFI  Guidance) for FRFIs.

The Guidance is an 11-page self-assessment template that sets out “desirable properties and  characteristics of cyber security practices that could be considered by a FRFI when assessing the  adequacy of its cyber security framework and when planning enhancements to its framework.” Although  the self-assessment template is termed a “guidance”, and thus seemingly voluntary, OSFI has  indicated that it can request that FRFIs complete the self-assessment template, or otherwise  emphasise cyber-security practices during future supervisory assessments.

The intent of the Guidance is for FRFIs to assess the current state of their cyber security  practices not their target state, and moreover to consider all security practices on an  enterprise-wide basis. The Guidance provides the following six broad categories of assessment (each  of which, in turn, has specific cyber security preparedness principles):

  1. Organisation and resources – the FRFI’s establishment of accountability and ownership of its cyber security framework, as well as resources (both  financial and personnel) and training dedicated to threat assessment, management, and cyber  security incident response.
  2. Cyber risk and control assessment – the FRFI’s processes with respect to assessing, mitigating,  and responding to cyber risk, including assessments of outsourcing arrangements and critical IT  service providers, conduct of cyber attack and recovery simulations and impact assessment of  extended, nationwide Internet outages.
  3. Situational awareness – the FRFI’s enterprise-wide knowledge and ability to keep current on  developing security risks through the use of record-keeping, self- assessment and expert analysis,  and subscription to industry research on cyber security.
  4. Threat and vulnerability risk management – the FRFI’s implementation of tools and controls for  data loss detection/prevention and cyber incident detection and mitigation in a number of relevant  areas including: standard security configuration, network access controls and management, third  party management, and customers and clients.
  5. Cyber security incident management – the FRFI’s incident management framework and its ability to  rapidly respond, support, resolve, and review a cyber attack (including change management  processes, incident escalation protocols and communications protocols) should a cyber security incident arise.
  6. Cyber security governance – the FRFI’s framework on a strategic and operational basis to address cyber risk including the appropriate enterprise-wide  policies, risk management procedures, auditing, and external benchmarks of such policies and procedures, as well as oversight from senior management and the  board of directors.

Each FRFI must rate its level of cyber security preparedness on a scale of 1 to 4 for each of the  criteria in the six categories; with “1” representing a criterion that has not been implemented,  and “4” representing a criterion that  has been fully implemented across its enterprise. Notably,  the Guidance does not require that FRFIs change their self-assessment processes, or insist on the implementation of certain risk management policies. In  fact, the Guidance specifically states that OSFI “does not currently plan to establish specific guidance for the control and management of cyber risk.”

Although the Guidance only applies to FRFIs, it seems it will inescapably impact outsourcing and critical IT  service providers to FRFIs. A number of the  criteria in the template relate to arrangements with material outsourcing providers and critical IT  service providers (including related subcontracting arrangements). As a result, service providers  to FRFIs will likely be subject to similarly rigorous security reviews by FRFI’s as oversight from  federal regulators increases. (The Guidance has been criticised for failing to do more to address threats within the interconnected systems between FRFI and non-FRFI third  parties.)

OSFI has stated its intention to increase its resources in  the area of operational risk to allow  for more reviews of FRFIs (eg reviews of technology risk with a focus on cyber security; quality of  data systems; and overall management of rising operational risk). As such, though the Guidance is structured to be a self-assessment tool, OSFI appears committed to providing the guidance and  oversight required to encourage FRFI’s to use the template to develop and maintain effective cyber security practices.