Earlier today, the Office of the Superintendent of Financial Institutions Canada (OSFI) issued Cyber Security Self-Assessment Guidance. The guidance follows on the heels of the release of the U.S. National Institute of Standards and Technology’s (NIST) Preliminary Cybersecurity Framework earlier this month, revelations of billions of dollars lost by cyber crime, and the continuing disclosures about surveillance by the NSA and others.
OSFI described the need for the guidance and how it expects federally regulated financial institutions (FRFIs) to use it as follows:
The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile for many organizations around the world. As a result, significant attention has recently been paid to the overall level of preparedness against such attacks by these organizations, including financial institutions, critical infrastructure providers, regulatory bodies, the media and the public at large.
Cyber security is growing in importance due to factors such as the continued and increasing reliance on technology, the interconnectedness of the financial sector, as well as the critical role that federally regulated financial institutions (FRFIs) play in the overall economy. OSFI thus expects FRFI Senior Management to review cyber risk management policies and practices to ensure that they remain appropriate and effective in light of changing circumstances and risks.
OSFI recognizes that many FRFIs may have already conducted, or may be in the process of conducting, an assessment of their current level of preparedness. With this in mind, OSFI believes that they could benefit from guidance related to such self-assessment activities. Consequently, it is sharing the annexed cyber security self-assessment guidance to assist FRFIs in their self-assessment activities.
FRFIs are encouraged to use this template or similar assessment tools to assess their current level of preparedness, and to develop and maintain effective cyber security practices. OSFI does not currently plan to establish specific guidance for the control and management of cyber risk. Notwithstanding, and in line with its enhanced focus on cyber security as highlighted in its Plan and Priorities for 2013-2016, OSFI may request institutions to complete the template or otherwise emphasize cyber security practices during future supervisory assessments.