OSFI Guideline B-13 is Canada's prudential technology and cyber risk management guideline for federally regulated financial institutions. It is not a third-party risk rule, although third-party technology risk is part of it. The guideline is about governing technology and cyber risk across the institution.
Official sources
OSFI says B-13 establishes expectations related to technology and cyber risk management and applies to all federally regulated financial institutions, including foreign bank branches and foreign insurance company branches to the extent consistent with applicable Canadian obligations.
What B-13 is trying to do
B-13 pushes FRFIs to treat technology and cyber risk as enterprise risk. The institution should know which systems and data support business operations, how cyber risk is controlled, how technology changes are governed, how incidents are detected and handled, and how third-party technology providers fit into the risk profile.
What the guideline covers
- Governance and risk management for technology and cyber risk.
- Technology operations, resilience, change, asset, and configuration management.
- Cyber security controls for identifying, defending, detecting, responding, and recovering.
- Third-party technology and cyber dependencies, including cloud and managed services.
- Incident response, testing, assurance, remediation, and reporting.
What teams need to operationalize
Teams need a joined view of systems, applications, data, identities, privileged access, cloud services, managed service providers, business owners, critical operations, control evidence, and incidents. If a provider hosts a critical platform, the record should connect provider risk to technology operations, cyber controls, recovery, and business impact.
Evidence to maintain
- Technology and cyber risk policies, standards, governance, and reporting.
- System, application, data, cloud, and provider inventories.
- Access, vulnerability, patch, logging, backup, recovery, and monitoring evidence.
- Technology change, incident, problem, and remediation records.
- Third-party technology due diligence, contracts, assurance evidence, and monitoring.
- Cyber incident response records and lessons learned.
Common gaps
- Technology inventories and third-party inventories are not reconciled.
- Cloud and SaaS services are reviewed as procurement items but not as technology-risk dependencies.
- Cyber incidents involving providers do not update the provider risk record.
- Control testing findings are tracked separately from remediation reporting.
How Halbarad helps
Halbarad helps teams map technology providers to systems, data, business services, control evidence, incidents, and remediation. Spark Assessment, Nth-Party Discovery, Continuous Monitoring, and Governance workflows help keep the provider side of B-13 current and auditable.
Halbarad helps operationalize and evidence the work. It does not replace OSFI guidance or institution-specific cyber risk management.
Disclaimer
This guide is for general information only and is not legal advice. Review the official regulation, guidance, and supervisory materials, and consult qualified counsel or compliance advisors for your organization's specific obligations.