What does OSFI Guideline B-13 require from financial institution IT departments?

OSFI Guideline B-13 (Technology and Cyber Risk Management) requires federally regulated financial institutions to implement a technology risk framework, conduct regular risk assessments, manage third-party technology risks (including MSPs), and maintain business continuity plans. It also requires documented incident response capabilities and reporting to the board on cyber risk.

Does Outsource IT Canada support CIRO 7-year WORM email archiving requirements?

Yes. CIRO (formerly IIROC) requires registered dealers to retain electronic communications including email for 7 years in a tamper-evident, write-once-read-many (WORM) format. We implement Microsoft 365 Compliance Center archiving with WORM-equivalent immutable storage to satisfy this requirement.

Can you support Bloomberg Terminal and trading platform connectivity?

Yes. We manage the network infrastructure, firewall rules, and dedicated connectivity that Bloomberg Terminal and other trading platforms require. We also support FIX protocol connections, Reuters Eikon, and order management system (OMS) integrations common in wealth management and investment dealer environments.

Managed IT Services for Canadian Financial Services Firms

By Damir Grubisa, Founder & CEO, Group 4 Networks • Last updated May 2026

Canadian financial services firms — investment dealers, portfolio managers, insurance companies, mortgage brokers, and federally regulated banks — operate under technology governance requirements that are among the most prescriptive of any sector. OSFI Guideline B-13, FINTRAC's electronic record-keeping rules, and CIRO's communication archiving requirements create a compliance environment that demands an IT partner with specific financial sector expertise. Outsource IT Canada has been supporting Toronto financial services firms since 2008, with deep experience in the systems, audit obligations, and continuity requirements that regulators expect.

Financial services IT compliance context (2026):

OSFI Guideline B-13 explicitly designates IT service providers (MSPs) as "third-party risk" — requiring FRFIs to conduct due diligence on their IT vendors' security controls and document the relationship.
FINTRAC requires reporting entities to retain financial transaction records for 5 years in an accessible electronic format — the IT system must support production of records within 30 days of a request.
CIRO (formerly IIROC) requires registered dealers to archive all electronic business communications for 7 years in WORM-equivalent format — email, Teams messages, and SMS if used for client communication.
Financial sector data breaches in Canada average USD $6.08 million per incident — the second-highest industry cost after healthcare, per the IBM Cost of a Data Breach Report 2024.

"Financial services IT is fundamentally different from general business IT. The audit trail requirements, the archiving obligations, the trading platform connectivity — these are not optional features. Regulators treat technology failures as governance failures. Our financial services clients need IT managed with the same rigor they apply to their own compliance programs." — Damir Grubisa, Founder & CEO, Group 4 Networks (since 2008)

Regulatory requirements we address

OSFI Guideline B-13 — technology risk framework, third-party risk management, incident reporting, business continuity for federally regulated financial institutions
CIRO Rule 3800 — 7-year electronic communication retention in WORM-equivalent format for registered dealers
FINTRAC electronic records — 5-year retention of financial transaction and KYC records in accessible format
PIPEDA / privacy obligations — client financial data handling, breach notification, and data minimization
OSC / AMF requirements — cybersecurity incident reporting for registered capital markets participants

Systems we support

Bloomberg Terminal — dedicated network infrastructure, firewall policy management, Bloomberg B-Unit authentication support
Reuters Eikon / Refinitiv — network connectivity and workstation configuration for data terminal access
Croesus / Univeris / Addepar — portfolio management platform support and backup management
Broadridge / DST / SS&C — back-office settlement system connectivity and network requirements
Microsoft 365 with CIRO archiving — immutable email archiving configured for 7-year WORM retention, eDiscovery, and audit log production
Salesforce Financial Services Cloud — CRM for wealth management; we manage integration, MFA, and data classification

What's included in our financial services managed IT plans

24/7 network monitoring with 15-minute critical response SLA
OSFI B-13 third-party risk documentation (due diligence package for your regulators)
CIRO 7-year WORM email archiving and eDiscovery capability
FINTRAC-compliant record retention and accessibility
Bloomberg Terminal and trading platform connectivity management
SOC monitoring — Security Operations Center alerts for financial network anomalies
Business continuity and disaster recovery planning (required by OSFI B-13)
Annual technology risk assessment with board-level reporting documentation
Privileged access management for systems that touch client funds

Related resources

Sources & references

Office of the Superintendent of Financial Institutions. Guideline B-13: Technology and Cyber Risk Management. osfi-bsif.gc.ca
CIRO (Canadian Investment Regulatory Organization). Rule 3800 — Books and Records. ciro.ca
Financial Transactions and Reports Analysis Centre. Record-keeping requirements. fintrac-canafe.gc.ca
IBM Security. Cost of a Data Breach Report 2024. ibm.com

Ready to transform your IT? Call (416) 623-9677 for a free assessment.