On October 28, 2013, the Office of the Superintendent of Financial Institutions Canada (“OSFI”) released a memorandum to provide guidance to federally regulated financial institutions (“FRFIs”) in assessing their level of cyber security preparedness. OSFI had previously identified technology risk with a focus on cyber security as one of its highest priority items in its “Plan and Priorities for 2013-2016”. The memorandum attaches a self-assessment questionnaire designed to help FRFIs identify where gaps in its cyber security preparedness may lie, as well as to provide an idea as to the standard to which it should comply. OSFI is to be commended for setting out these self-assessment best practices for FRFIs to work with as cyber risk is not only real but a growing and very concerning risk in today’s world and particularly so for financial institutions as it could affect so many.
The approach taken in the memorandum is consistent with OSFI’s overall approach to risk management and risk governance. In this regard, it is noteworthy that one of the items in the memorandum is that the FRFI’s operational risk appetite and tolerance (which are addressed in OSFI’s Corporate Governance Guideline) consider cyber security risk. As well, the memorandum reflects the “three lines of defence” model in which management is the first line of defence, controls and oversight functions (such as risk management) are the second line of defence, and internal audit is the third line of defence. The memorandum provides an indication of OSFI’s expectations with respect to each line of defence in this area. A key principle in OSFI’s Corporate Governance Guideline is the independence of oversight functions from operational management. Risk management and internal audit are two of those oversight functions and are expected to play key roles in managing cyber risk.
The major categories of assessment set out in the memorandum (including some examples of each) are as follows:
- Organization and Resources. The FRFI has assigned roles and responsibilities, and adequately allocated financial resources for cyber security. The FRFI also has cyber security staff that are properly vetted, skilled and trained.
- Cyber Risk and Control. The FRFI conducts regular and comprehensive security assessments and penetration testing, and takes steps to mitigate potential cyber risk arising from its outsourcing arrangements deemed material under OSFI Guideline B-10 and other critical IT service providers.
- Situational Awareness. The FRFI maintains an enterprise-wide knowledgebase of software and asset inventories, network information, and security event information. The FRFI also conducts automated analyses of security events to identify potential cyber attacks, and includes additional expert analysis, as well as participates in industry programs on cyber security.
- Threat and Vulnerability Risk Management. The FRFI has implemented tools to prevent unauthorized data from leaving the enterprise, monitoring outgoing traffic and safeguarding data. The FRFI has also installed standard security tools (e.g. anti-virus, DDoS protection, firewalls, and intrusion detection systems) using enhanced detection tools. As well, the FRFI has multiple layers of defence to mitigate against DDos attacks, segments its enterprise network, and implemented tools to secure mobile devices and wireless networks.
- Cyber Security Incident Management. The FRFI has documented procedures to monitor, analyze and respond to incidents, including escalation if required, rapid response and mitigation, and also has a post-incident review process and communication plan.
- Cyber Security Governance. The FRFI has established enterprise-wide policies that apply to all operating groups and entities (including subsidiaries, joint ventures and geographic regions), that delineate clear roles and responsibilities for each of the three lines of defence. The FRFI must have clear policies, risk management procedures, an internal audit of cyber security, senior management and board oversight, and must also engage in external benchmarking. A Senior Management committee has been established that is dedicated to the issue of cyber risk, or an alternative Senior Management committee has adequate time devoted to the discussion of the implementation of the cyber security framework. The Board, or a committee of the Board, is engaged on a regular basis to review and discuss the implementation of the FRFI’s cyber security framework and implementation plan, including the adequacy of existing mitigating controls.
OSFI states in the memorandum that it is providing the questionnaire for the purposes of helping FRFIs with a self-assessment of their preparedness, but that OSFI does not yet plan to establish specific guidance to contain cyber risk. However, OSFI notes that it may request FRFIs to complete the questionnaire or otherwise explain cyber security practices during supervisory assessments, so familiarity with the questionnaire and the relevant issues, as well as how the FRFI’s practices measure up, is highly recommended. Further, it is likely that FRFIs will seek to pass through to IT service providers any solution requirements that the FRFI adopts in response to the memorandum, and to ensure that the FRFI has a contractual right to similarly audit and assess the service provider in this area.