On October 13th, the Office of the Superintendent of Financial Institutions (“OSFI”) proposed two new guidelines: An Integrity and Security Guideline and an enhanced E-21 Operational Resilience and Operational Risk Management. The increased dependency on technology infrastructure has amplified existing risks and introduced new threats to critical operations such as increased security breaches, natural disasters, supply chain shocks, and a pandemic. The proposed guidance seeks to clarify OSFI’s expectations for operational resilience, integrity, and security protection as well as signal interconnections with existing guidance and new expectations currently not covered.
Highlights: E-21 Operational Resilience and Operational Risk Management
The enhanced guidance takes an outcomes-based approach, setting forth expectations for federally regulated financial institutions (“FRFIs”). Specifically, FRFI’s should:
· Be able to identify and protect themselves using sound risk practices against operational risk events and continue to deliver through disruption,
· Take a holistic approach to managing operational risk, governing from the top, and setting a risk appetite for operational risks,
· Integrate operational risk management into enterprise risk management and support operational resilience,
· Strengthen risk practices in areas that have an impact on the achievement of operational resilience such as:
o business continuity management,
o disaster recovery,
o crisis management,
o change management,
o technology and cyber risk management,
o third-party risk management,
o data risk management.
FRFIs are expected to prepare for, respond, recover, and learn from, and adapt to disruption, recognizing that disruption, including simultaneous disruption, will occur.
Key Takeaway
The guideline will require FRFIs to take stock of their critical operations and embed resilience into their existing risk management frameworks. Due to the interconnectedness of potential disruptive events, scenario testing will play a vital role in risk management and should include events such as large-scale technology failures, critical third-party interruptions, cyber incidents, and natural disasters. To effectively manage risk and support effective decision-making, a strong data strategy is needed.
The consultation period ends: February 5, 2024
Highlights: Integrity and Security Guideline
This guidance tackles the inter-relationship between integrity and security. As noted in the guidance “Failure to comply with ethical standards, regulations, and the law may increase the risk of a physical or electronic security breach. In turn, failure to appropriately protect physical or electronic security may be rooted in a lack of integrity and constitute not only a security failure, but breach of ethical standards, regulations, or the law.”
The guidance requires enhanced due diligence in terms of board character. It emphasizes the importance of promoting a culture conducive to ethical behaviour and ensuring governance has appropriate accountability mechanisms that support ethical norms and behavior. The premise behind the expectations for Integrity is that sound integrity practices will help reduce vulnerability to threats.
The guidance links security principles for physical premises, people, technology assets, and data and information and makes the connection to existing and proposed guidance.
Summary of the Inter-relationship between Guidelines
Principle # | Description of Principle | Related guidance |
1 | Senior leaders are of good character and demonstrate integrity through their words, actions, and decisions | E-17 Background checks on Directors and Senior Management |
2 | Culture consistent with ethical norms is deliberately shaped, evaluated and maintained | Draft: Culture and Behavior Risk Guideline |
3 | Governance structures subject actions, omissions and decisions to appropriate scrutiny and promote ethical behavior. | Corporate Governance Guideline |
4 | Effective mechanism to identify and verify compliance with standards, regulations and laws exist | E-13 Regulatory Compliance Management |
5 | Physical premises are safe and secure and monitored appropriately | B-13 Technology and Cyber Risk Management E-21 Operational Risk Management and Operational Resilience |
6 | People should be subject to appropriate background checks and security screening, and strategies should be in place to manage risk | E-17 Background checks on Directors and Senior Management |
7 | Data and information should be subject to appropriate standards and controls ensuring its confidentiality, integrity, and availability | B-13 Technology and Cyber Risk Management E-21 Operational Risk Management and Operational Resilience |
8 | Third parties should be subject to equivalent and proportional measures to protect against threats | B-10 Third party Risk Management |
Key Takeaway
This guidance re-enforces the responsibility of the FRFI to protect the organization against security threat, explicitly stating that accountability cannot be contracted out. Procurement is cited as an area of focus but, I expect, how oversight happens in practice will be a subject for future discussion. As the velocity of business continues to accelerate, the relationship between third parties and financial institutions will need to become more intimate in order for a FRFI to have adequate assurance.
The consultation period ends: November 24th, 2023.
If members would like the CRTA to provide a collective response to one or both guidelines, please get in touch: donna@canadianregtech.ca by October 23, 2023.