Regulatory rigour: Managing technology and cyber risk

Managing technology and cyber risk is an ongoing challenge for federally regulated financial institutions (FRFIs). Regulatory attention and expectations have increased substantially in recent years. In early 2022, the Office of the Superintendent of Financial Institutions (OSFI) issued draft Guideline B-13: Technology and Cyber Risk Management. The final guideline was released in July after extensive consultations with financial sector stakeholders.

Guideline B-13 is part of a major shift in how OSFI sets expectations for regulated institutions and OSFI’s approach to supervision. It is the first of many new or completely revised guidelines with laser focus on the outcomes achieved by FRFIs. The prescriptive and detailed processes that used to be part of regulatory guidance are a thing of the past. FRFIs will be expected to develop their own detailed processes using and leveraging industry standards for technology, governance and assurance that fit their own business needs and the risks that they face.

To manage their technology and cyber risks and meet OSFI expectations, FRFIs must determine and detail how they will achieve the outcomes laid out in B-13, instead of demonstrating that processes and controls are compliant with specific requirements. And they have until January 1, 2024, to do so.

FRFIs will need to assess their current operations in light of the new outcomes-focused approach demanded by B-13. Here are some key points to consider within the three domains that form the new guideline, and how to determine if your institution is on a path to successfully meet the requirements of B-13.

Desired outcome: Technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks.

Technology and cyber risk governance is a complex and dynamic challenge. It entails looking at critical assets, the threat vectors that can affect them, and then assessing how to protect the organization using measures that reach across people, process, and technology. Once measures are in place, FRFIs must also understand and accept the residual risks.

One of the most challenging aspects of governance is creating and maintaining risk appetite statements, which set the metrics and thresholds that in turn can trigger responses or actions (ranging from course corrections for technology implementation to internal and external escalation of significant cyber-attacks). Determining what is within and outside of an organization's risk appetite is tricky, especially when seeking the support and participation of executive management and boards of directors. Management must clearly articulate risk appetite and how it will be measured. One of the most effective ways to do this is by taking a qualitative approach to risk appetite statements that promotes and requires the use of supporting metrics. The limits, thresholds, risk tolerance levels and reporting structures in place must be comprehensive and data-driven, yet simple enough for the organization to actually use in its ongoing and daily activities.

FRFIs must also be able to demonstrate what their cyber risk management framework is based on: an industry framework such as NIST 800-53 or ISO 27005, for example, as well as how such approaches work as part of the organization's particular enterprise risk management framework. Changes made must be traceable, and FRFIs must both record and be able to demonstrate any actions taken. This means having documented practices in place, not just for mature elements but also for newer or informal processes that might not be as mature or are not yet in use. Regulators will be more understanding of challenges whenever organizations can clearly detail what is being done to address them and how such action contributes to expected outcomes, especially in cases where solutions are a work in progress.

Desired outcome: A technology environment that is stable, scalable and resilient. The environment is kept current and supported by robust and sustainable technology operating and recovery processes.

As FRFIs assess their technology solutions, increasing focus must be given to how they interact as an ecosystem that delivers the expected outcomes. FRFIs have been using technology for decades, with high availability of assets and systems being of principal importance to the organization. As a result, many legacy applications remain housed on servers that are no longer supported by vendors and cannot be patched in response to new or emerging threats. Migration of many applications to the cloud or to an alternate server architecture is difficult because of the need for 24/7 availability.

Moreover, the risks inherent to technology assets extend well beyond the actual application environment, for example:

• Who owns the risks associated with the data?
• Who owns the risks associated with the backup?
• Who owns the risks associated with the peripherals (e.g. the servers, the desktops, or even the printers)?

B-13’s holistic, outcomes-driven expectations mean that FRFIs may have to reconsider the secure system development life cycle (SSDLC). Usually employed with the goal of producing the highest quality systems and software at the lowest cost and in the shortest time, the SSDLC needs robust security requirements and should establish practices for the integration of development, security and technology operations, so that new software can be deployed without compromising application security. Security risk assessments should be conducted for acquired systems and software, and defined coding standards should be in place to provide for secure and stable code.

All of these operations must be supported by robust change and release management processes and patch management practices. These activities should include protocols for testing all changes made to technology, and for ensuring that patches are applied across the FRFI's technology to address vulnerabilities and flaws in a timely fashion.

Incident response abilities, which are closely linked to business continuity and disaster recovery, are also a strong indicator of an FRFI’s overall resilience to technology risk. This extends well beyond cyber security: consider the impact of recent events in Canada, such as fires, floods, and even the COVID-19 pandemic. Having a realistic incident response and disaster recovery scenario in place is crucial, and it should include tests at multiple levels, including the operational/technical level, the leadership level, and the executive level.

Desired outcome: A secure technology posture that maintains the confidentiality, integrity and availability of the FRFI’s technology assets.

Defending an organization against cyber incidents includes identifying threats and risks through robust intelligence, tools and assessments. FRFIs often use an internal or external security operations centre (SOC) to handle these tasks. Vulnerability testing and identification should be completed through regular scans and testing such as penetration testing and red/purple teaming undertaken. This testing is only valuable if the FRFI understands holistically what systems and data are critical to operations, where they are and what measures are in place to protect them.

The Defence in Depth model is not new and is more relevant than ever given B-13 expectations. FRFIs should expect that some controls will fail or be compromised. To that end, there should be controls in layers around the network, system and data, including the ability to contain cyber incidents when something goes wrong. Logical and physical controls need to be robust, and regularly reviewed so that only the right people have access to the right things at the right time.

FRFIs must be able to demonstrate the actions they have taken in response to an incident and have processes in place to perform a root cause analysis. These essential activities must inform the evolution of FRFI's risk management framework so that managing technology and cyber risk becomes a cyclical process: lay out the strategy, monitor, manage, and respond to risks, then adjust the strategy and the risks based on that response.

Through an effective risk management framework, has the FRFI identified the critical assets and risks specific to the organization?

Does the FRFI know what data is in the cloud and how it is being secured?

Has the FRFI updated their cyber risk appetite statements with associated metrics and thresholds?

Has the FRFI completed multiple realistic cyber incident simulations at different levels within the organization?

Does the FRFI regularly complete a self-assessment to see how effective the cyber security function is? OSFI provides a self-assessment tool and there is an expectation that assessments are regularly conducted.

As FRFIs look to manage their technology and cyber risks and meet the expectations outlined in B-13, KPMG in Canada can help. Contact our team to learn more.