OSFI B-13: Cyber risk management for Canadian Federally Regulated Financial Institutions

In brief:

• – Instead of a script, B-13 is a set of guidelines underpinned by 17 principles that facilitate FRFIs’ achievement of the desired outcomes.
• – In light of growing and increasingly sophisticated cyber risks, OSFI Guideline B-13 on Technology and Cyber Risk Management bolsters FRFIs capabilities to manage digital security and resilience effectively.
• – Implementing a robust cyber risk management strategy is now crucial for operational stability and legal adherence for Canadian FRFIs, as well as contributing towards the country’s stability.

Evolving cyber risks threaten Canada’s stability

In his foreword to the National Cyber Threat Assessment 2025-2026, the Honourable Bill Blair, Minister of National Defence for Canada, said;

“Cyber threats to Canada are becoming more complex and sophisticated, threatening our national security and economic prosperity. In the last two years, we have witnessed a sharp increase in both the number and severity of cyber incidents, many of which target our essential services.”

Major data cyber threats in Canada’s financial sector include phishing, ransomware, social engineering, and supply chain attacks, all of which aim to steal sensitive data for financial gain. These attacks are driven by the high value of financial data and the potential for significant disruption and leverage.

Risk-based technology governance

OSFI published the final version of Guideline B-13 in July 2022, yet many FRFIs were preparing for the changes well before it came into effect on January 1, 2024.

Despite preparation, many organizations still face vulnerabilities that  the B-13 Guideline is designed to address. Identifying and closing these cyber gaps is critical for building resilience.

Cyber attacks targeting the financial sector tripled between 2022 and 2023, according to a Technical Note on Cyber Resilience of Canada’ s Financial Sector prepared by the International Monetary Fund. Concurrently, Canadian financial institutions are facing attacks that are escalating rapidly in both frequency and sophistication.

Failure to comply with Guideline B-13

Mismanagement of cyber risks can result in devastating consequences. While Guideline B-13 does not have its own specific penalty schedule, non-compliance can trigger the general enforcement mechanisms as outlined in the Administrative Monetary Penalties (OSFI) Regulations.

Non-adherence to OSFI B-13 can result in fines ranging from $10,000 CAD to $500,000 CAD depending on the severity and whether an individual or organization was at fault.

Guideline B-13: Key elements of compliance

The serious consequences of overlooking the B-13 Guideline underscores the need for sound business and financial practices, and specifically a robust cyber risk management strategy.

The key elements of FRFI compliance of OSFI B-13 in respect of cyber risk management are:

1. 1. Governance and risk management focuses on the formal accountability, leadership, organizational structure, and framework for managing and overseeing technology and cyber security risks.
2. 2. Technology operations and resilience address the management and oversight of risks related to the design, implementation, management, and recovery of technology assets. This includes assessing critical third-party technologies and integration points with upstream and downstream dependencies, including both on- and off-premises technology.
3. 3. Cybersecurity is dedicated to the management and oversight of cyber risk in order to achieve a secure technology posture that maintains the confidentiality, integrity and availability of FRFIs’ technology assets.

How does OSFI B-13 address third-party cyber risk?

The increasing reliance of FRFIs on third-party technology providers means that the security perimeter extends far beyond the institution’s walls.

OSFI B-13 directly addresses third-party cyber risks by requiring financial institutions to enforce a robust cyber risk management framework across their vendor ecosystem. OSFI B-10 third-party risk management for Canadian financial entities also addresses this topic.

This focus is essential because a weakness in a single third-party provider, such as a cloud service or a software vendor, can pose a systemic threat to an entire FRFI.

The FRFI must assess the risk and criticality of every third-party arrangement. The rigor of the risk management activities (assessment, monitoring, measuring) must be proportionate to the level of risk identified.

The requirements for managing B-13 third-party risks must be read alongside OSFI’s Guideline B-10 (Third-Party Risk Management) for a complete picture.

The severity of B-13 third-party risks was illustrated by the 2020 SolarWinds supply chain attack. The attack demonstrated how compromising a single, trusted third-party vendor (in this case a software supplier) could allow attackers to gain undetected access to the internal networks of numerous, well-defended organizations.

The large-scale AWS outage which affected more than 2,000 companies worldwide including major banks and stock exchanges further proves that increasing cyber resilience  is an urgent priority.

OSFI B-13 proportionality explained

The application of OSFI’s Guideline B-13 is principles-based and proportional to an institution’s technology and cyber risk maturity and profile, rather than its size alone.

This means that the specific measures and depth of implementation will vary based on the complexity of operations and associated risks of individual FRFIs.

When considering B-13 implementation in 2025, this principle is especially important. This allows FRFIs to take a more tailored approach without compromising the core principles of the guideline.

What are common cyber risk gaps and necessary resilience builds for B-13 compliance?

Sections 1.3 and 3.1 of Guideline B-13 address expectations when it comes to managing cyber gaps, by way of Principle 3 and Principle 14 respectively.

OSFI B-13 Principle 3 states that:

FRFIs should establish a technology and cyber risk management framework. The framework should set out a risk appetite for technology and cyber risks and define FRFI’s processes and requirements to identify, assess, manage, monitor and report on technology and cyber risks.

Similarly, OSFI B-13 Principle 14 states that:

FRFIs should maintain a range of practices, capabilities, processes and tools to identify and assess cyber security for weaknesses that could be exploited by external and insider threat actors.

Some important considerations for FRFIs when it comes to closing cyber risk gaps include:

• – Legacy system vulnerabilities: Older systems often present significant security flaws and difficulties with modern integrations
• – Supply chain exposures: The reliance on third-party vendors for critical services creates extended security perimeters that need rigorous oversight
• – Testing shortfalls: Insufficient testing leaves organizations unprepared for real-world attacks

Cyber resilience testing best practices

B-13 testing best practices and resilience builds boil down to the mantra test early, test often, and test hard to build cyber resilience by focusing on:

1. 1. Intelligence-led, proactive threat hunting and stress testing using simulated attacks and penetration testing based on current and real-world threats.
2. 2. Regular vulnerability assessments to be performed on all technology assets, ranking them based on severity and the actual risk exposure.
3. 3. Critically, FRFIs should assess how multiple small vulnerabilities, when combined, could create a single high-risk exposure.
4. 4. Continuous resilience checks, including change control testing, testing throughout the System Development Life Cycle, and incident rehearsals of disaster recovery and cyber incident response plans.

B-13 incident response expectations

The OSFI Guideline B-13 outlines incident response expectations in two key areas: Technology Incident and Problem Management (Section 2.7) and Cyber Security Response (Section 3.4).

1. 1. Formal process (2.7.1): FRFIs must implement a formal incident management process with defined roles, responsibilities, prioritization based on business impact, clear escalation paths, and communication protocols.
2. 2. Response capabilities (2.7.2): Establish capabilities for timely reporting (internal and external to OSFI), develop response playbooks for plausible scenarios, and conduct periodic testing and exercises to identify and remedy gaps. This includes testing processes with third-party providers.
3. 3. Problem management (2.7.3): Develop processes for post-incident reviews, root cause analysis, and learning from incidents to continuously improve management procedures.
4. 4. Cyber security alignment (3.4.1): Ensure integration between cyber security, technology, crisis management, and communication protocols.
5. 5. Timely containment (3.4.4): Maintain a dedicated incident response team with continuous capabilities to rapidly respond, contain, and recover from security events.
6. 6. Forensics and learning (3.4.5): Conduct forensic investigations for material exposures and detailed post-incident assessments to determine the root cause and inform future remediation.

How to leverage technology for B-13 monitoring

Effective and continuous monitoring is the backbone of sustainable cyber risk management. Technology risks that OSFI B-13 addresses cannot be managed manually; it requires sophisticated systems to keep pace with evolving threats.

Key tech for B-13 monitoring includes:

• – SIEM System Integrations: Implementing Security Information and Event Management (SIEM) systems allows for centralized log aggregation and real-time security event analysis.
• – Encrypted logs: Ensuring that all logs are encrypted, both in transit and at rest, is a baseline security requirement for data integrity.
• – AI threat hunting: Leveraging AI for proactive threat hunting can identify subtle, emerging patterns that human analysts or traditional rules-based systems might miss.

A critical consideration is the architecture of these systems. A unified cyber stack provides a holistic view, breaking down data barriers and significantly improving the speed and accuracy of incident response. Siloed vs. unified cyber stacks is an important consideration for B-13 implementation in 2025.

Final thoughts: Why is OSFI B-13 a driver for financial resilience?

Canadian FRFIs should implement the principles of Guideline B-13 using a flexible, risk-based perspective to responsibly embrace digital innovation without compromising sound technology risk management.

Implementing robust governance, identification, and response mechanisms, supported by the right technology helps mitigate cyber risks. FRFI compliance of OSFI B-13 enables Canadian financial institutions to make crucial progress towards enhancing their resilience.

Global Relay, end-to-end providers of compliant communications solutions, helps FRFIs to deliver on Guideline B-13’s 17 principles. Global Relay’s archiving solution enriches, analyzes, and organizes unstructured communications data in one scalable, cloud data store, bolstering FRFIs cyber risk management and resilience against data attacks.