Planning for the “When” not “If” of a cyber attack: increasing federal oversight of financial institutions’ cyber security practices
The Canadian reinsurance industry, like others, is facing the risk of increasingly frequent and sophisticated cyber attacks. As a result, regulators are turning increased attention to financial institutions’ overall level of preparedness against such cyber threats. Canada’s federal financial institutions regulator, the Office of the Superintendent of Financial Institutions (OSFI)1, has made clear that it expects senior management of all federally regulated financial institutions (FRFIs) to review cyber risk management policies to ensure they remain effective in light of changing circumstances and risks. In its recently published paper “Plans and Priorities for 2013-2016” OSFI listed cyber risk as one of the regulator’s top priorities. To this end, on October 28, 2013, OSFI issued a “Cyber Security Self-Assessment Guidance”’ (the OSFI Guidance) for FRFIs.
The Guidance is an 11-page self-assessment template that sets out “desirable properties and characteristics of cyber security practices that could be considered by a FRFI when assessing the adequacy of its cyber security framework and when planning enhancements to its framework.” Although the self-assessment template is termed a “guidance”, and thus seemingly voluntary, OSFI has indicated that it can request that FRFIs complete the self-assessment template, or otherwise emphasise cyber-security practices during future supervisory assessments.
The intent of the Guidance is for FRFIs to assess the current state of their cyber security practices not their target state, and moreover to consider all security practices on an enterprise-wide basis. The Guidance provides the following six broad categories of assessment (each of which, in turn, has specific cyber security preparedness principles):
- Organisation and resources – the FRFI’s establishment of accountability and ownership of its cyber security framework, as well as resources (both financial and personnel) and training dedicated to threat assessment, management, and cyber security incident response.
- Cyber risk and control assessment – the FRFI’s processes with respect to assessing, mitigating, and responding to cyber risk, including assessments of outsourcing arrangements and critical IT service providers, conduct of cyber attack and recovery simulations and impact assessment of extended, nationwide Internet outages.
- Situational awareness – the FRFI’s enterprise-wide knowledge and ability to keep current on developing security risks through the use of record-keeping, self- assessment and expert analysis, and subscription to industry research on cyber security.
- Threat and vulnerability risk management – the FRFI’s implementation of tools and controls for data loss detection/prevention and cyber incident detection and mitigation in a number of relevant areas including: standard security configuration, network access controls and management, third party management, and customers and clients.
- Cyber security incident management – the FRFI’s incident management framework and its ability to rapidly respond, support, resolve, and review a cyber attack (including change management processes, incident escalation protocols and communications protocols) should a cyber security incident arise.
- Cyber security governance – the FRFI’s framework on a strategic and operational basis to address cyber risk including the appropriate enterprise-wide policies, risk management procedures, auditing, and external benchmarks of such policies and procedures, as well as oversight from senior management and the board of directors.
Each FRFI must rate its level of cyber security preparedness on a scale of 1 to 4 for each of the criteria in the six categories; with “1” representing a criterion that has not been implemented, and “4” representing a criterion that has been fully implemented across its enterprise. Notably, the Guidance does not require that FRFIs change their self-assessment processes, or insist on the implementation of certain risk management policies. In fact, the Guidance specifically states that OSFI “does not currently plan to establish specific guidance for the control and management of cyber risk.”
Although the Guidance only applies to FRFIs, it seems it will inescapably impact outsourcing and critical IT service providers to FRFIs. A number of the criteria in the template relate to arrangements with material outsourcing providers and critical IT service providers (including related subcontracting arrangements). As a result, service providers to FRFIs will likely be subject to similarly rigorous security reviews by FRFI’s as oversight from federal regulators increases. (The Guidance has been criticised for failing to do more to address threats within the interconnected systems between FRFI and non-FRFI third parties.)
OSFI has stated its intention to increase its resources in the area of operational risk to allow for more reviews of FRFIs (eg reviews of technology risk with a focus on cyber security; quality of data systems; and overall management of rising operational risk). As such, though the Guidance is structured to be a self-assessment tool, OSFI appears committed to providing the guidance and oversight required to encourage FRFI’s to use the template to develop and maintain effective cyber security practices.