Canada’s banking regulator is launching consultations on proposed guidelines for the management of technology and cyber risks in the industry.
The Office of the Superintendent of Financial Institution said the guidelines are meant to support banks and insurers in developing greater resiliency by outlining expectations in areas like accountability, risk identification and disaster recovery.
The guidelines come as recent ransomware attacks against Newfoundland and Labrador’s health system and the Toronto Transit Commission underline the potential cybersecurity threats posed to a wide variety of institutions.
The cybersecurity aspect of the proposed guidelines include a range of expectations including the need to identify risks, conduct threat modelling, adopt secure-by-design practices, and integrate incident response capabilities.
OFSI’s draft guidelines build on several related guidelines such as ones on operational risk management and outsourcing, as well as recently updated requirements on cyber incident reporting.
The regulator said it will conduct consultations for three months as it looks to formalize guidelines that strike a balance between risk management and allowing financial institutions to compete.