What Is OSFI Cybersecurity Guideline B-13?

OSFI Guideline B-13 — Technology and Cyber Risk Management — is the Office of the Superintendent of Financial Institutions' comprehensive cybersecurity framework for federally regulated financial institutions (FRFIs) in Canada, including banks, insurance companies, trust and loan companies, and pension plans. Effective January 2024, B-13 replaced the 2013 Cyber Security Self-Assessment and established materially stronger requirements for technology risk governance, third-party risk management, and incident reporting.

Who must comply with OSFI B-13?

OSFI Guideline B-13 applies to:

• Canadian banks (Schedule I, II, III) including the Big Six (RBC, TD, BMO, Scotiabank, CIBC, NBC)
• Federal credit unions
• Life insurance and property and casualty insurance companies regulated federally
• Trust and loan companies
• Federally regulated pension plans

It does not directly apply to provincially regulated credit unions or insurance companies, though many adopt equivalent frameworks voluntarily or are subject to provincial equivalents (OSFI guidance often cascades to provincial regulators).

Core domains of OSFI B-13

• Governance and accountability — board-level cyber risk oversight; designated technology risk officer; clear escalation paths for cyber incidents
• Technology risk management — formal risk appetite for technology risk; asset inventory and lifecycle management; vulnerability management program
• Cyber risk management — threat intelligence program; security controls aligned with industry frameworks (NIST CSF, ISO 27001); penetration testing at least annually
• Third-party and supply chain risk — due diligence on all technology vendors; contractual security requirements; concentration risk assessment (over-reliance on a single cloud provider)
• Cyber incident preparedness — documented incident response plan (IRP); regular tabletop exercises; recovery time and recovery point objectives defined
• Cyber incident notification — notify OSFI of technology or cyber incidents within prescribed timeframes; defined escalation criteria

OSFI B-13 incident notification requirements

FRFIs must notify OSFI of cyber incidents that meet notification criteria. OSFI distinguishes between:

• Technology or cyber incidents — any event that impacts the confidentiality, integrity, or availability of technology assets
• Notification criteria — incidents with potential to cause significant financial loss, reputational harm, or regulatory concern must be reported within specific timeframes (typically immediately for major incidents, within 24 hours for significant ones)

Impact on IT service providers and MSPs

OSFI B-13 has cascading effects on vendors and MSPs serving FRFIs. Financial institutions must:

• Conduct due diligence on all technology service providers, including MSPs
• Include minimum security requirements in all technology vendor contracts
• Assess concentration risk when multiple FRFIs rely on the same providers
• Require vendors to notify them of incidents that may affect FRFI systems or data

Related glossary terms

• PIPEDA — Federal privacy law
• FINTRAC Compliance
• SIEM — Security Information and Event Management
• MDR — Managed Detection and Response
• vCISO — Virtual CISO

How Outsource IT Canada can help

• Managed IT Services — 24/7 monitoring and flat-rate IT support for Canadian businesses
• Cybersecurity Services — EDR, MDR, dark web monitoring, and incident response
• PIPEDA Compliance — privacy impact assessments and breach notification procedures
• Get a free assessment — call (416) 623-9677