Canadian Cyber-Security Guidance for Financial Institutions

Espionage and criminal heists have enduring popularity whether as news or cultural entertainment. However, it is not just big business for reporters, authors and producers. In the digital era,  some reports place losses from cybercrime and cyber-espionage in the hundreds of millions of dollars.

Nevertheless, there is a gap between perceived risk and action. A 2013 report by KPMG LLP (Canada) and The Gandalf Group demonstrated that Canadian executives understand that cybersecurity issues are an important overall organizational risk, only 24% surveyed are confident in their cyber-security efforts. Perhaps more disturbing, Canadian executives also believe that it will be someone else that will be attacked.

Yesterday, the Office of the Superintendent of Financial Institutions in Canada (OSFI) released Cyber-Security Self-Assessment Guidance for federally regulated financial institutions (FRFIs). The Guidance stated that the “increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile for many organizations around the world.” OSFI also stated that the reliance on technology and the interconnectedness of the financial sector means that threats due to cyber-attacks may affect the overall economy. Therefore, senior management of FRFIs must assess and adapt preparedness.

To assist organizations, OSFI has published a template risk assessment tool. However, unlike the US National Institute of Standards and Technology draft Cybersecurity Framework  (developed at the direction of the US President’s Executive Order on critical infrastructure cyber-security), OSFI is less prescriptive and states that it does “not currently plan to establish specific guidance for the control and management of cyber risk.” Rather, the Guidance provides a template for organizations to measure their level of maturing in addressing cyber-security risks. OSFI did say that it may request that FRFIs use the assessment tool or “otherwise emphasize cyber-security practices during future supervisory assessments.”

The OSFI self-assessment tool is comprised of six components. Each component contains numerous cybersecurity preparedness principles. FRFI’s are meant to rate themselves from 1 to 4 with “1″ being not implemented and “4″ being fully implemented. The following is a brief orientation to the six components.

1. Organization and Resources. In this component, the FRFI assesses whether it has clearly defined roles and accountability for cybersecurity issues as well as appropriately trained personnel and resources to implement threat intelligence, threat management and incident response.

2. Cyber Risk and Control Assessment. This component contains principles that are focused on whether the FRFI has processes to assess and respond to cyber-security risks, including those arising from its critical IT service providers. For example, one question relates to whether the FRFI conduct regular cyber-attack and recovery simulation exercises.

3. Situational Awareness. The principles in this component relate the FRFI’s self-knowledge of its own infrastructure and cyber-security events and its knowledge of cyber-security risks in the industry generally.

4. Threat and Vulnerability Risk Management. This component involves principles relating to data loss detection and prevention, cyber incident detection and mitigation, software security, network infrastructure security, network access control and management, third party management, and other vulnerabilities.

5. Cyber-security Incident Management. Under this component, the FRFI assesses itself against principles relating to the maturity of the FRFI’s cyber-security incident management framework.

6. Cyber-security Governance. The principles in this component include whether the FRFI has an enterprise-wide cyber-security policy or strategy, conducts internal audits, identifies and manages cyber-security risks as part of the overall risk management processes of the organization, has established senior management and board reporting and oversight, and benchmarks against the industry.

The OSFI guidance can be found here.