New year, new regulation: OSFI’s B-13 took effect January 1

For Federally Regulated Financial Institutions (FRFIs) in Canada, the new year has brought new requirements. Guideline B-13 on Technology and Cyber Risk Management, published by the Office of the Superintendent of Financial Institutions (OSFI), took effect on January 1, 2024.

The new Guideline comes as no surprise to FRFIs. Many organizations have been preparing for B-13 since the final version was released on July 13, 2022. Much of the guidance consists of long-established, industry leading practices. To ensure adherence, OSFI has strongly encouraged FRFIs to self-assess their current posture against the Guideline and be ready to provide a holistic risk-based assessment of how they meet the B-13 outcomes.

As FRFIs readied themselves for B-13, many non-financial risks intensified in the Canadian financial landscape: cyber-attacks increased in sophistication and severity, technology-driven disruptions and the digitization of money put more pressure on financial business models and operations, and the increased reliance on third-party providers has given rise to new concentration risks.¹

As FRFIs prepared for B-13 to take effect, KPMG in Canada launched an industry survey to check in and see where they were along the adherence journey. We learned what steps they had already taken, and what they’re planning to do next in order to enhance their governance and risk management processes, strengthen the resilience of their technology operations, and enhance their cyber security capabilities.

We asked our participants to provide details about their technology and cyber risk management practices, as well as to assess their current maturity using a scale ranging from “1 – Initial” (the lowest level of maturity, with controls implemented in an ad hoc manner and generally undocumented) to “5 – Continuous Improvement” (the highest level of maturity, with controls being continuously improved to address changing business needs and risks) across the three domains of the Guideline.

Overall, large FRFIs are strongly positioned in this area compared to the rest of the survey population and demonstrated having a robust view of their strengths and weaknesses. Above all, smaller FRFIs find this area the most demanding of the B-13 requirements. In particular, local branches and subsidiaries of international financial institutions found it even more challenging given their limited visibility over technology and cyber governance, since those processes are mostly managed outside of Canada in the parent country.

Regardless of the size of the organization, those who have regular meetings with their Board and Management teams to discuss and address technology and cyber risk show higher maturity scores for governance and risk management compared to their peers.

Finally, participants with high maturity scores in this area outperformed the rest of the survey population in the two other domains of B-13, highlighting the importance of having robust governance and risk management processes in place.

Technology asset management is a foundational capability, but it’s also a large and complex task that takes time. Organizations can have thousands of devices and applications to inventory and manage. The more complex systems are, the more critical a comprehensive technology asset management strategy becomes, and the task of making sure assets are up-to-date and free from vulnerabilities requires significant ongoing effort especially for larger FRFIs. Participants lacking a complete overview of their critical assets (e.g.; “Crown Jewels”) and their environment-specific risks tend to score significantly lower in technology operations and resilience and in the overall readiness average. This emphasizes the necessity of having a clear understanding of technology assets for better risk mitigation.

With respect to System Development Lifecycle (SDLC), several surveyed FRFIs have attempted to move from waterfall to agile methodology. However, some of them have needed to revisit their change delivery approach to ensure they’re viewing it through an appropriate risk management lens, which includes robust documentation and a solid configuration inventory.

Because cybersecurity has been a focus for many organizations and regulators for decades, FRFIs demonstrated the highest maturity scores in this area. OSFI itself issued a cybersecurity self-assessment tool several years ago, which helped serve as a preparatory function for many Canadian FRFIs when it came to adherence to the B-13 requirements.

In addition, participants who regularly engage in realistic cyber incident simulations and self-assessments to evaluate the effectiveness of their cybersecurity function report maturity scores that better reflect their current risk exposure.

Some of the biggest organizational challenges the surveyed FRFIs faced in meeting the B-13 outcomes were:

• Misalignment on outcomes between the business and IT stakeholders
• Insufficient talent and/or skills
• Lack of budget and/or sponsoring

Based on participants’ self-assessment maturity scores, on average, the three best-performing and worst-performing Principles of Guideline B-13 for the survey population and peer group were (see table):

Industry Survey on Guideline B-13 – Focus on Principles

Overall, FRFIs who stand out as prepared for B-13 are primarily focusing on where to improve and gain efficiencies. Because adherence to the Guideline is not a one-time effort, FRFIs will need to demonstrate they have robust measures in place to ensure ongoing monitoring of their risk posture and consistency across their lines of defence. Even though FRFIs have continued to make progress, there’s still work to be done for many of them. The task now is to develop a roadmap to remediate gaps and work efficiently to fill them.

• Conduct a maturity assessment
  Many organizations performed readiness or maturity assessments prior to B-13 coming into effect to gauge their progress and identify remaining gaps. If you haven’t done it, it’s never too late. FRFIs are at variable stages of readiness and some challenges are common to organizations of a certain size. Many of the B-13 recommendations appear complex to implement, but consist of basic technology hygiene and leading practices. Find a partner that can help assess your implementation program and accelerate the process of finding and closing any gaps.
• B-13 isn’t an isolated guideline. It’s a building block
  Recognize that B-13 is part of an ecosystem of OSFI guidelines. Every effort made and achievement already realized for B-13 can be leveraged for other related guidelines, including Guideline B-10 on Third Party Risk Management and Guideline E-21 on Operational Resilience and Operational Risk Management, which are coming down the OSFI pipeline next.
• The process itself builds resilience
  Don’t view your adherence achieved to B-13 as a “check the box” exercise. Rather, think about it as a resilience-building exercise. These are industry leading practices informed by current circumstances. It’s important to see the big picture and commit to the process from a budget and strategy perspective. In the end, the process itself can make your organization more efficient, more effective, and more resilient overall.

KPMG in Canada has extensive knowledge of OSFI guidelines, of the financial services industry, and of the technology and cyber risk management landscape. We've helped a range of financial institutions of varying sizes and complexity navigate these new requirements. Our professional consultants have the tools and solution sets to help accelerate your journey to adherence. For help assessing your readiness, identifying and addressing gaps, and ultimately building resilience, connect with us at KPMG in Canada.