OSFI releases updated cyber security self-assessment (part two)

The Office of the Superintendent of Financial Institutions (OSFI) recently released an updated Technology and Cyber Security Incident Reporting Advisory and new requirements for the Cyber Security Self-Assessment (the Self-Assessment). Both updated guidance documents are effective immediately. The updates seek to clearly outline OSFI’s expectations for federally regulated financial institutions (FRFIs) when assessing their cybersecurity posture and reporting incidents. 

To read part one of this update on the changes made to the advisory, click here. Part two of this update tackles OSFI’s Self-Assessment tool, which is seeing its first update since 2013. In particular, OSFI is enhancing its Self-Assessment to reflect the current cybersecurity risks associated with the digitization of financial services.

What are the notable changes?

• Guidance updates: OSFI has announced that the updated Self-Assessment will be used to supplement future guidance announcements on sound management of technology and cyber risk. Additionally, there are plans in place for regular updates in order to stay on top of the cyber risk landscape. 
• Cyber risk rating scale: A new cyber risk rating scale is implemented in the updated Self-Assessment. The new Self-Assessment uses a six-level scale, ranging from levels 0 to 5, in an effort to allow FRFIs to further nuance different aspects of their cybersecurity posture. OSFI has provided guidance on what each level entails, which can be summarized as follows:
  • Level 0 – Non-Existent: There is no control implemented for this category.
  • Level 1 – Initial: Controls are generally undocumented and changing. Usually implemented in a reactive manner based on certain events. The security systems in place work but contain deficiencies or may be unequally applied. 
  • Level 2 – Repeatable: Controls are implemented in a repeatable manner across different systems and usually produce more consistent results. However, understanding of the controls may be limited and suitable documentation to explain the implemented controls may not be readily available.
  • Level 3 – Defined: Controls are well defined and understood thanks to proper documentation. They still may be subject to some degree of improvement, as the controls are reviewed and managed more proactively. OSFI considers this a developmental stage.
  • Level 4 – Quantitatively Managed: Controls include quantitative objectives set by the organization to control effectiveness and performance. Based on analyzing metrics, the FRFI is able to define normal operating patterns and predict control performance. There is a deeper and more comprehensive understanding of the implemented cyber security controls.
  • Level 5 – Continuous Improvement: Using incremental and innovative technologies, the FRFI continually improves the security controls to address changing business needs and concerns. At this level, the FRFI can rapidly respond to changes and is at the point where cyber security and risk management are integral to the organization.

OSFI notes that the risk-rating levels are intended to help the FRFI gauge the maturity of its security controls. For each item, a control statement states a best practice, process, responsibility or other safeguard against which the FRFI should compare its internal processes.   

• Focus and categories: There are many changes to the Self-Assessment template itself. One of the major changes is the different focus and categories used throughout the Self-Assessment. The updated version contains eight focuses, broken down into 20 categories, as follows:
  • Governance: Planning and strategy; policy; risk management
  • Identify: Business environment; asset management; risk assessment
  • Defend: Identity management and access control; network security; data security; vulnerability management; change and configuration management
  • Detect: Monitoring and logging; benchmarking, reviews and assessments; secure software development
  • Respond: Incident management
  • Recover: Testing and planning
  • Learn: Continuous improvement; security education
  • Third-party providers: Governance and management; cloud service providers
• Rating rationale and notes: Even though some categories and controls might overlap, OSFI notes that scores should be assigned to controls individually, taking them one at a time instead of collectively. 
• Supporting references: The Self-Assessment now encourages FRFIs to provide supporting references in addition to the cyber risk rating rationale. Accordingly, FRFIs should be prepared to produce supporting documentation for their ratings.
• Removal of action plan and target date(s): While the former Self-Assessment encouraged FRFIs to list an action plan and target date(s) for full implementation, the updated Self-Assessment has since removed this category and replaced it with supporting references. 

Takeaways – why complete the Self-Assessment?

With FRFIs accelerating digitization and digital transformation initiatives, the frequency, severity, and sophistication of cyber threats have increased, resulting in a higher risk of attack. OSFI’s objective is to ensure that, in part through the Self-Assessment, FRFIs understand their cybersecurity posture and implement any requirements or remedial actions to achieve (and maintain) the highest rating possible. 

Although the Self-Assessment is not mandatory, FRFIs are encouraged to complete the assessment to gain a better understanding of their level of cyber preparedness. This in turn will allow FRFIs to develop and maintain their cyber security practices and be ready in the event of a cyber attack. That said, organizations should be prepared to share their self-assessment with OSFI and be able to effectively justify why they have selected a particular rating for a given category. 

Furthermore, OSFI has announced forthcoming guidance that will supplement the Self-Assessment and be regularly refreshed. FRFIs should look out for future OSFI announcements to ensure their cyber security measures are up to date.

The authors wish to thank articling student Marisa Kwan for her help in preparing this legal update.