On October 28, OSFI released its Cyber Security Self-Assessment Guidance (the “Guidance”) to aid Federally Regulated Financial Institutions (“FRFI”) in assessing its level of preparedness against cyber risks. The Guidance was drafted in response to OSFI’s Plans and Priorities for 2013-2016, a plan that emphasizes vigilance against the increasing frequency and sophistication of cyber threats.

Cyber Security Self-Assessment Template

The Guidance directs FRFIs to conduct self-assessments against a number of criteria in the following six categories:

  1. Organizational Resources. e.g. Whether the FRFI has assigned specific roles and responsibility for the management of cyber security.
  2. Cyber Risk and Control Assessment. e.g.  Whether the FRFI assesses and takes steps to mitigate potential cyber risk arising from its outsourcing arrangements deemed material under OSFI’s Guidelines B-10.
  3. Situational Awareness. e.g. Whether the FRFI maintains current enterprise-wide knowledge base of its users, devices, applications, and their relationships.
  4. Threat and Vulnerability Risk Assessment.  e.g. Whether the FRFI has implemented tools to prevent unauthorized data leaving the enterprise.
  5. Cyber Security Incident Management. e.g. Whether the FRFI’s change management process has been designed to allow for rapid response and mitigation to material cyber security incidents.
  6. Cyber Security Governance. e.g. Whether a Senior Management committee has been established that is dedicated to the issue of cyber risk.

Interestingly, unlike the recently released U.S. NIST Preliminary Cybersecurity Framework, the Guidance is broad and does not reference external standards (e.g. ISO Standards). As a consequence, there is a large degree of subjectivity involved in the self-assessment. While OSFI has stated that they do not have current plans to establish a more specific guidance, OSFI also confirmed that they may request FRFIs to complete this template during future supervisory assessments.

Prepared with Assistance from Sam Ip