On October 28, 2013, the Office of the Superintendent of Financial Institutions (OSFI) released a memorandum (the Memorandum) and guidance including a self-assessment template (the Template) (available here) regarding cyber security self-assessment for federally regulated financial institutions (FRFIs). OSFI expects that senior management of FRFIs will review their cyber risk management policies and practices on an enterprise basis to ensure they remain appropriate and effective.
The Memorandum does not require an FRFI to change its self-assessment process if it already has one in place, but it should be noted that future supervisory assessments may see OSFI request that FRFIs complete the Template or take other steps to emphasize cyber security practices.
While OSFI does not currently plan to establish specific guidance for the control and management of cyber risk—and recognizes that many FRFIs are already engaged in cyber security practice reviews—it has nevertheless provided the Template and has encouraged FRFIs to use it on a voluntary basis. This greater focus on cyber security is consistent with OSFI’s published Plan and Priorities for 2013-2016 (available here).
The Cyber Security Self-Assessment Template
The Template sets out properties and characteristics of cyber security practices to be considered by an FRFI when assessing the adequacy of its cyber security framework or when considering changes to that framework. It should also be noted that the Template contemplates assessments of some IT service providers and material outsourcing arrangements.
The Template includes a list of criteria in six groups. For each criterion, an FRFI may rank its current degree of maturity on a 1 to 4 scale (4 = Fully Implemented and 1 = Not Implemented). The six groups are described below.
1. Organization and Resources
This group allows an FRFI to consider the roles, responsibilities and training of its personnel with respect to threat intelligence, threat management and incident response.
2. Cyber Risk and Control Assessment
This group assesses an FRFI’s processes with respect to assessing cyber risk and guiding responses. This group includes an analysis of IT service providers and outsourcing arrangements that are material under OSFI’s B-10 Guidelines.
3. Situational Awareness
This group assesses an FRFI’s ability to stay current with cyber risks through record-keeping and through participation in industry programs and subscriptions to industry research regarding cyber security.
4. Threat and Vulnerability Risk Management
The criteria in this group assess the ability of an FRFI to identify and manage its vulnerabilities under numerous headings:
— Data Loss Detection / Prevention;
— Cyber Incident Detection and Mitigation;
— Software Security;
— Network Infrastructure;
— Standard Security Configuration and Management;
— Network Access Control and Management;
— Third Party Management; and
— Customers and Clients.
5. Cyber Security Incident Management
This group assesses an FRFI’s incident management process, including monitoring, escalating, communications, incident resolution, and incident review process.
6. Cyber Security Governance
This group assesses whether an FRFI has a proper framework in place, both strategically and operationally. There criteria are related to audit, senior management involvement and board oversight.
The Memorandum is consistent with OSFI’s enhanced focus on cyber security issues. Many FRFIs already have a process in place for self-assessment, but they may wish to consider whether their current process aligns with OSFI’s approach, particularly since there is the possibility that OSFI will require FRFIs to use the Template or a similar process as part of a supervisory assessment.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2016 by Torys LLP.
All rights reserved.