Canada OSFI B-13 — Technology and Cyber Risk Management Guideline
SmartSuite provides the system for managing controls, evidence, mappings, assessments, and reporting. Framework text may require a separate license unless explicitly provided.
Overview
Canada OSFI B-13 is a regulatory guideline that assists federally regulated financial institutions in managing technology risks and strengthening cybersecurity and operational resilience.
Why it Matters
OSFI B-13 establishes a comprehensive framework that helps financial institutions mitigate technology and cyber risks while meeting regulatory expectations. Key benefits include:
- Strengthen cybersecurity governance
Enhance oversight by clearly defining responsibilities for technology risk management and ensuring board-level attention to cybersecurity priorities.
- Enhance regulatory alignment
Support compliance by aligning organizational practices with OSFI requirements and other globally recognized standards.
- Promote operational resilience
Reduce the risk of business disruptions by requiring robust controls for critical systems, incident response, and ongoing technology risk assessments.
- Improve third-party risk oversight
Enable organizations to better assess and manage technology risks associated with third-party vendors and service providers.
- Increase audit readiness
Facilitate smoother regulatory audits by maintaining comprehensive documentation and demonstrating effective technology risk management practices.
How it Works
OSFI B-13 is organized around governance domains and a risk management lifecycle that establishes expectations for board oversight, risk identification, assessment, mitigation, and monitoring, covering operational resilience, third-party risk, change management, incident response, and continuous monitoring.
Key Elements
- Technology Governance Structure
Establishes oversight responsibilities and decision-making processes for technology and cyber risk management.
- Risk Identification and Assessment
Describes processes for recognizing, analyzing, and prioritizing technology and cyber risks within the organization.
- Incident Response and Recovery
Outlines procedures for managing technology incidents and restoring operations following disruption or compromise.
- Third-Party Risk Oversight
Defines requirements and approach for assessing and monitoring technology risks related to external partners and service providers.
Framework Scope
OSFI B-13 is used by federally regulated financial institutions, including banks and insurance companies, to govern technology assets, information systems, and sensitive data.
Framework Objectives
OSFI B-13 sets clear expectations for technology and cyber risk management to protect financial institutions and promote operational resilience.
- Strengthen cybersecurity governance and oversight of critical technology assets
- Enhance risk management practices to reduce technology and cyber risks
- Improve regulatory compliance by aligning with sector-specific requirements
- Promote operational resilience to minimize disruptions and maintain essential services
- ClassicifationCategoryOperational ResilienceDomainCybersecurityFramework FamilyOther
- Regulatory ContextTypeFrameworkLegal InstrumentGuidelineSectorFinancial SectorIndustryFinancial Services
- Region / PublisherRegionNorth AmericaRegion DetailCanadaPublisherOffice of the Superintendent of Financial Institutions (OSFI)
- VersioningVersionGuideline B-13Effective DateJuly 2017Issue DateJuly 2018
- AdoptionAdoption ModelRegulatory ComplianceImplementation ComplexityHigh
- Official ReferenceOpen Link in New TabSource
License included / downloadable: Yes
OSFI Guideline B-13 is publicly available through the Office of the Superintendent of Financial Institutions and can be accessed without a commercial license.
How SmartSuite Supports Americas Canada OSFI B-13
Centralize controls, evidence, and audit workflows to stay continuously SOC 2–ready.
B-13 Requirement Library and Ownership
Organize governance, resilience, and cybersecurity expectations with ownership.
Technology and Cyber Risk Assessments
Run periodic assessments and track treatment plans and approvals.
Operational Resilience Testing Program
Schedule testing, capture results, and manage remediation through closure.
Third-Party and Outsourcing Oversight
Track due diligence, contract controls, and ongoing monitoring evidence.
Incident Response and Recovery Workflows
Run incidents and recovery tasks with documented timelines and outcomes.
Supervisory Reporting Dashboards
Provide leadership-ready reporting on posture, gaps, and remediation status.
Related frameworks
DORA is an EU regulation requiring financial firms to manage ICT risks, report incidents, test security, and oversee third-party providers.
ISO/IEC 27001:2022 is an international ISMS standard that helps organizations manage information security risks and protect data.
ISO/IEC 27002:2022 provides best-practice information security controls to help organizations select, implement, and manage protections for information assets.
ISO/IEC 27017 provides cloud-specific security controls to help organizations protect data and manage cloud-related risks.
ISO/IEC 27018 provides guidelines for protecting personally identifiable information processed in public cloud services.
NIST Cybersecurity Framework (CSF) v2.0 is a risk-based framework that helps organizations manage and reduce cybersecurity risks.
Frequently Asked Questions For Canada OSFI B-13 (Technology and Cyber Risk Management Guideline)
OSFI B-13 is designed to help federally regulated financial institutions in Canada manage technology and cyber risks. It sets regulatory expectations for governance, risk management, and security controls to protect critical systems and sensitive information.
OSFI B-13 is a mandatory guideline for banks, insurers, and other entities regulated by the Office of the Superintendent of Financial Institutions (OSFI). While it is not a certifiable standard, compliance is subject to regulatory review and audits.
B-13 applies to all federally regulated financial institutions in Canada, including banks, insurance companies, and trust companies. Its requirements are relevant to organizations handling critical financial systems and customer data.
The guideline emphasizes governance, operational resilience, risk assessment, incident response, third-party management, change management, and ongoing monitoring. It requires institutions to establish internal controls, inventories, and processes for risk identification and mitigation.
Implementation involves aligning existing information technology and cybersecurity practices with B-13's expectations. This includes conducting regular risk assessments, mapping policies to controls, maintaining compliance evidence, and integrating governance into IT operations.
OSFI B-13 complements international standards such as NIST and ISO 27001 by providing sector-specific guidance tailored to Canadian financial entities. Organizations often map B-13 requirements to existing controls from these global frameworks to ensure comprehensive coverage.
Organizations must maintain a governance structure for continuous monitoring, perform regular technology risk assessments, test incident response plans, and provide evidence of compliance for regulatory audits. Ongoing reporting to senior management and the board is essential for sustained compliance.
SmartSuite enables organizations to manage OSFI B-13 compliance by centralizing risk registers, developing control libraries, and linking policies to controls. It supports evidence collection, facilitates audit readiness with workflow automation, and provides dashboards and reporting tools to streamline governance and demonstrate compliance to regulators and boards.
Put CRI Profile into action with SmartSuite
Map controls, collect evidence, run assessments, manage remediation, and report readiness - all from a single connected system.