The global cyber and regulatory landscape is changing rapidly, with many other countries adopting their own regulatory frameworks, including the Digital Operational Resilience Act (DORA) in the EU, and new regulations by the Prudential Regulation Authority (PRA) in the UK Kingdom and the Monetary Authority. of Singapore (MAS) in Singapore.
Canada is the latest country to renew its focus on resilience with Canada’s regulator, the Office of the Superintendent of Financial Institutions (OSFI), currently consulting on new expectations for how financial institutions manage third-party risk. This will closely mirror new regulations in other countries and disrupt the way institutions in the sector are expected to operate.
Following OSFI’s call for comments, John Boruvka, Vice President, Sales – US for NCC Group Software Resilience, provides an overview of key points to note.
What would the proposed new directions consist of?
The proposed amendments will apply to all federally regulated financial institutions (FRFIs), which includes all banks, loan companies and insurance companies. These companies will need to implement stronger governance and risk management programs to remain resilient throughout their supply chain.
In the meantime, OSFI has broadened its definition of third-party risk to encompass everything from technology, cyber and data security to operational, business continuity, supply chain and concentration risks.
A growing reliance on third parties to provide critical functions within the industry makes the changes particularly important as financial institutions undergo rapid digital transformation and increase their supply chain risk. Behind every digital transformation program is a complex ecosystem of innovative third-party solutions that are increasingly cloud-based, which means supply chain risk management is becoming increasingly important.
What does this mean for organizations?
As a principles-based regulator, OSFI avoids prescriptive and detailed rules and therefore does not recommend specific solutions to ensure business continuity. This is different from other regulators around the world, such as the UK (PRA) and Singapore (MAS), which have explicitly encouraged organizations to use escrow solutions to build resilience. That said, under the new guidelines, organizations will be required to establish exit strategies that ensure the continuity of essential services.
In OSFI’s revised B-10 guidelines, which outline the new approach, the regulator recommends that organizations implement holistic third-party risk management programs. These should include making specific provisions to manage technology and cyber risk through the use of escrow and software verification and prioritizing resilience by design.
Escrow and verification solutions are essential to reassure and demonstrably prove how services can be maintained during and after any disruption and must absolutely be at the heart of any exit strategy.
What’s next for regulation in Canada?
OSFI is seeking public comment on its revised guidelines by July 27, 2022, with a view to publishing the final guidelines in the fall of 2022. OSFI’s decision marks Canada’s participation in a global movement to strengthen the resilience of the financial sector, and it is likely that we will see more similar regulatory guidance in Canada and beyond in the future.
In the meantime, institutions should establish clear roles and responsibilities, compliance with cyber standards, cloud-specific requirements, and consideration of cloud portability when managing and mitigating cyber risk. use of third-party providers.