OSFI Guideline B-13 is the Office of the Superintendent of Financial Institutions' mandatory cyber resilience framework for federally regulated financial institutions (FRFIs) in Canada, requiring organizations to implement a comprehensive Technology and Cyber Risk Management Program that covers governance, risk assessment, threat detection, incident response, and third-party risk management. This guideline, effective as of the 2024-2025 compliance cycle, applies to all banks, insurance companies, trust and loan companies, and pension plans regulated by OSFI, and it represents a significant shift from voluntary best practices to enforceable regulatory obligations.
What Is OSFI Guideline B-13? The Complete Definition
OSFI Guideline B-13, officially titled "Technology and Cyber Risk Management," is a mandatory regulatory framework issued by the Office of the Superintendent of Financial Institutions Canada. Published in January 2023 with phased implementation beginning in 2024 and full compliance required by 2025, B-13 replaces the earlier Guideline B-10 (Outsourcing of Business Activities, Functions, and Processes) and significantly expands the scope of cyber resilience expectations for Canada's federally regulated financial sector.
The guideline is structured around six core principles that form the foundation of a robust Technology and Cyber Risk Management Program (TCRMP). These principles cover governance and oversight, risk management, operational controls, threat detection and monitoring, incident management and response, and recovery and business continuity. Unlike its predecessor, B-13 explicitly addresses technology risk beyond simple outsourcing, encompassing cloud computing, artificial intelligence, critical infrastructure dependencies, and emerging threats such as ransomware and supply chain compromises.
For Canadian organizations subject to OSFI oversight, B-13 introduces enforceable expectations for board-level accountability, mandatory cyber incident reporting to OSFI, and rigorous third-party risk management requirements. The guideline also references the Canadian Centre for Cyber Security's (CCCS) Baseline Cyber Security Controls and ITSG-33 framework, requiring FRFIs to align their programs with these national standards.
Who Must Comply with OSFI Guideline B-13?
OSFI Guideline B-13 applies to all federally regulated financial institutions in Canada, which includes:
- Domestic banks and authorized foreign banks operating in Canada
- Insurance companies (life, property and casualty, and reinsurance) regulated at the federal level
- Trust and loan companies that are federally incorporated
- Pension plans registered with OSFI under the Pension Benefits Standards Act, 1985
- Cooperative credit associations and other federally regulated financial entities
It is critical to note that provincially regulated financial institutions—such as credit unions regulated by provincial authorities or insurance companies operating solely within a single province—are not directly subject to OSFI B-13. However, many provincial regulators are adopting equivalent expectations, and any FRFI that outsources services to provincially regulated entities must ensure those partners meet B-13's third-party risk management standards.
Core Requirements of OSFI Guideline B-13
1. Governance and Board Accountability
Under B-13, an FRFI's board of directors or similar governing body bears ultimate responsibility for technology and cyber risk oversight. This includes approving the Technology and Cyber Risk Management Program, ensuring adequate resources are allocated, and receiving regular reporting on the institution's risk posture. The guideline explicitly requires boards to possess or obtain sufficient cyber literacy to challenge management's risk decisions effectively. Senior management is responsible for implementing the program, defining roles and responsibilities, and ensuring that risk appetite statements explicitly incorporate technology and cyber risk.
2. Risk Management Framework
OSFI B-13 mandates a continuous risk assessment process that identifies, assesses, and prioritizes technology and cyber risks. This includes conducting threat modelling, vulnerability assessments, and scenario analysis to understand potential impacts on critical business services and sensitive data. Institutions must document their risk appetite and risk tolerance levels, establishing clear thresholds for acceptable risk exposure. The risk management framework must also address concentration risk, particularly with respect to third-party service providers and critical technology dependencies.
3. Operational Controls and Security Architecture
The guideline requires FRFIs to implement a comprehensive set of operational controls aligned with the CCCS Baseline Cyber Security Controls. These controls cover identity and access management, data protection (both at rest and in transit), network security, application security, endpoint protection, and secure configuration management. Organizations must also establish robust change management processes, including segregation of duties and approval workflows for critical system changes. B-13 specifically addresses the use of emerging technologies such as artificial intelligence, requiring institutions to assess and manage the unique risks these technologies introduce.
4. Threat Detection and Monitoring
FRFIs must deploy continuous monitoring capabilities to detect cyber threats and anomalous activities in real time. This includes implementing security information and event management (SIEM) systems, intrusion detection and prevention systems, and user behaviour analytics. The guideline emphasizes the importance of correlating threat intelligence from multiple sources, including the CCCS, industry information-sharing groups, and commercial threat feeds. Detection controls must cover network traffic, endpoints, cloud environments, and third-party interfaces. Institutions are expected to maintain a threat detection capability that can identify sophisticated attacks, including advanced persistent threats and zero-day exploits.
5. Incident Management and Response
OSFI B-13 mandates the establishment of a formal incident management program that includes predefined response plans, communication protocols, and escalation procedures. FRFIs must conduct regular tabletop exercises and simulations to test the effectiveness of their response capabilities. The guideline requires timely notification to OSFI of any material cyber incident, with the expectation that institutions will report within 24 to 72 hours of detection, depending on the severity. Incident response plans must address forensic investigation, evidence preservation, regulatory reporting, stakeholder communication, and post-incident review.
6. Recovery and Business Continuity
B-13 requires FRFIs to develop and maintain business continuity and disaster recovery plans that ensure the timely restoration of critical business services in the event of a cyber incident. This includes establishing recovery time objectives (RTOs) and recovery point objectives (RPOs) for all critical systems and data. Institutions must regularly test their recovery plans through simulations and actual failover exercises, documenting the results and addressing any identified gaps. The guideline also addresses the need for alternate processing sites, resilient network architectures, and backup strategies that protect against ransomware and other destructive attacks.
How OSFI B-13 Compares to Other Canadian Cybersecurity Frameworks
Understanding where OSFI B-13 fits within Canada's broader regulatory landscape is essential for organizations that must comply with multiple obligations. The following comparison highlights key differences and overlaps.
For FRFIs, OSFI B-13 serves as the primary compliance driver for technology and cyber risk management. However, these institutions must also satisfy PIPEDA's personal information protection requirements, and if they operate in Quebec, they must comply with Law 25's stricter privacy obligations. CyberSilo's Canada cybersecurity compliance services help organizations navigate these overlapping requirements holistically.
Key Takeaway: OSFI B-13 is Canada's most comprehensive mandatory cyber resilience framework for the financial sector. It combines governance, operational controls, and incident response requirements with enforceable regulatory oversight. Unlike voluntary frameworks such as NIST CSF or ISO 27001, B-13 carries the authority of federal financial regulation, and non-compliance can result in supervisory action, capital penalties, or enforcement orders from OSFI.
Phased Implementation Timeline for OSFI B-13
OSFI adopted a phased approach to B-13 implementation to allow FRFIs sufficient time to build their Technology and Cyber Risk Management Programs. The timeline is structured as follows:
Institutions that have not yet reached full compliance should prioritize Phase 1 and Phase 2 activities if they are still outstanding. OSFI has indicated it will conduct supervisory reviews throughout the implementation period, and early compliance gaps may attract enhanced monitoring or enforcement actions.
Incident Reporting Requirements Under OSFI B-13
OSFI B-13 establishes specific incident reporting obligations that differ from other Canadian frameworks. When an FRFI experiences a material cyber incident—defined as an event that has caused or could reasonably cause significant operational disruption, financial loss, or reputational harm—the following reporting timeline applies:
- Initial notification to OSFI: Within 24 hours of determining that an incident is material
- Detailed incident report: Within 5 business days, providing preliminary impact assessment, affected systems, and response actions
- Final report: Within 30 days of incident containment, including root cause analysis and remedial measures
It is important to distinguish B-13 incident reporting from PIPEDA breach reporting. PIPEDA requires notification to the Privacy Commissioner and affected individuals where there is a "real risk of significant harm" to individuals whose personal information is involved in a breach. Under B-13, the threshold is broader—incidents that threaten operational continuity or financial stability must be reported regardless of whether personal information is compromised. FRFIs must maintain both reporting processes concurrently, and they should integrate their PIPEDA breach management process with their B-13 incident response program to ensure coordinated disclosure.
Third-Party Risk Management Under OSFI B-13
One of the most significant expansions in OSFI B-13 compared to B-10 is the treatment of third-party risk. Under B-13, FRFIs must implement a comprehensive third-party risk management program that covers all outsourced activities, technology services, cloud computing arrangements, and critical vendor dependencies. The program must address:
- Risk classification: Categorizing third-party engagements based on criticality and inherent risk
- Due diligence: Assessing vendor security posture, financial stability, and compliance with relevant standards
- Contractual controls: Including cybersecurity requirements, audit rights, breach notification obligations, and data protection clauses
- Concentration risk: Identifying and mitigating risks arising from reliance on a single vendor or small group of vendors for critical services
- Ongoing monitoring: Continuous evaluation of third-party security through assessments, penetration testing, and performance reviews
FRFIs must also ensure that their third-party contracts include provisions that allow OSFI to access information and conduct examinations of the outsourced service provider if necessary. This requirement is particularly relevant for institutions using cloud service providers like AWS, Azure, or Google Cloud for critical financial applications.
How CyberSilo Supports OSFI B-13 Compliance
Meeting OSFI Guideline B-13 requirements demands a coordinated approach that combines governance, technology, and operational expertise. CyberSilo's ThreatHawk SIEM + SOAR platform provides the continuous threat detection, monitoring, and automated incident response capabilities that B-13 explicitly requires under Principle 4 (Threat Detection and Monitoring). The platform integrates with the CCCS Baseline Controls framework and provides real-time correlation of threat intelligence from the CCCS, industry ISACs, and global intelligence sources.
For organizations navigating the full scope of B-13 compliance, CyberSilo's Compliance Standards Automation solution streamlines the mapping of controls to OSFI requirements, automates evidence collection for supervisory reviews, and provides continuous compliance dashboards for board and management reporting. These solutions are delivered through our Canada cybersecurity compliance services, which include dedicated support for OSFI B-13, PIPEDA, Quebec Law 25, and other Canadian regulatory frameworks.
Get a Compliance Assessment for OSFI Guideline B-13
Is your organization ready for OSFI B-13 full compliance in 2025? Our cybersecurity experts can assess your current Technology and Cyber Risk Management Program against the six principles of B-13, identify gaps in governance, controls, detection, and recovery, and provide a clear roadmap to compliance. We serve federally regulated financial institutions across Canada with specialized expertise in financial sector cybersecurity.
Common Challenges in OSFI B-13 Compliance
Based on our work with FRFIs across Canada, we observe several recurring challenges that institutions face when implementing B-13 requirements:
Governance Gap: Board Cyber Literacy
Many FRFIs struggle to ensure their boards possess sufficient cyber literacy to meet B-13's governance expectations. The guideline requires boards to challenge management's risk decisions, which demands a baseline understanding of technology and cyber risk concepts. Institutions should invest in board-level cyber training programs and provide management reporting that translates technical risk into business impact terms, including financial exposure, operational downtime probabilities, and regulatory risk.
Legacy Technology Stack
B-13's monitoring and detection requirements often expose weaknesses in legacy IT infrastructure. Many older banking and insurance platforms lack the logging capabilities or API interfaces needed for effective SIEM integration. Organizations may need to implement compensating controls such as network taps, agent-based monitoring, or virtual patching until legacy systems can be modernized or replaced. The timeline for full compliance by Q4 2025 means that legacy remediation must begin immediately.
Third-Party Risk Scoping
The breadth of third-party risk management under B-13 catches many institutions off guard. It is not enough to assess direct vendors; FRFIs must also evaluate the sub-contractors and supply chain dependencies that support critical outsourced services. This requires developing a complete third-party ecosystem map, classifying vendors by criticality, and conducting due diligence that includes security assessments, financial health checks, and business continuity validation for the highest-risk engagements.
Cross-Regulatory Harmonization
FRFIs that operate in multiple provinces or internationally must harmonize B-13 compliance with other regulatory obligations. For example, a large bank operating in Quebec must comply with OSFI B-13, PIPEDA, Quebec Law 25, and potentially US regulations such as the NYDFS 500 or SEC Cyber Disclosure rules if it has US operations. Developing a unified control framework that satisfies multiple regulators without duplicating effort is a significant challenge that CyberSilo's compliance automation solutions are specifically designed to address.
Frequently Asked Questions About OSFI Guideline B-13
Does OSFI B-13 apply to small financial institutions?
Yes. OSFI B-13 applies to all FRFIs regardless of size. However, OSFI has indicated that it will apply proportionality in supervisory expectations, meaning smaller institutions with simpler technology environments may face less burdensome requirements in certain areas, provided they can demonstrate adequate risk management commensurate with their risk profile.
What happens if an institution does not comply with OSFI B-13?
Non-compliance with OSFI B-13 can result in a range of supervisory actions, including enhanced monitoring, mandatory third-party audits, capital penalties, restrictions on business activities, and ultimately enforcement orders. OSFI has broad authority under the Bank Act and Insurance Companies Act to impose compliance conditions and take action against institutions that fail to meet regulatory expectations.
Is OSFI B-13 aligned with international standards like ISO 27001 or NIST CSF?
OSFI B-13 is not directly aligned with ISO 27001 or NIST CSF, but many controls overlap. The guideline explicitly references the CCCS Baseline Controls and ITSG-33, which themselves draw on NIST SP 800-53 and ISO/IEC 27001. Institutions that have already invested in ISO 27001 certification or NIST CSF implementation will have a head start on meeting B-13 requirements, though they will need to map their existing controls to B-13's specific principles and demonstrate compliance with OSFI's supervisory expectations.
Does OSFI B-13 cover cloud security?
Yes. OSFI B-13 explicitly addresses cloud computing and other technology services provided by third parties. FRFIs using cloud services must ensure those arrangements comply with B-13's third-party risk management requirements, including due diligence, contractual protections, audit rights, and concentration risk analysis. The guideline also requires institutions to assess cloud-specific risks such as data residency, multi-tenancy, shared responsibility models, and the potential for vendor lock-in.
How often does an FRFI need to update its Technology and Cyber Risk Management Program under B-13?
OSFI B-13 does not prescribe a fixed update cycle, but it requires that the TCRMP be reviewed and updated at least annually, or more frequently when significant changes occur in the institution's risk profile, technology environment, or threat landscape. The guideline also requires ongoing monitoring and continuous improvement, meaning institutions should treat their TCRMP as a living document that evolves in response to emerging threats, regulatory guidance, and lessons learned from incidents and exercises.
Key Takeaway for FRFIs: OSFI B-13 is not optional, and the full compliance deadline of Q4 2025 is approaching. Boards and senior management should treat this as a top regulatory priority, allocate adequate resources, and consider leveraging specialized compliance tools like CyberSilo's ThreatHawk SIEM + SOAR and Compliance Standards Automation to streamline implementation and reduce the burden on internal teams.
Steps to Achieve OSFI B-13 Compliance
For FRFIs developing or maturing their Technology and Cyber Risk Management Program, the following phased approach aligns with OSFI's implementation expectations and industry best practices.
Conduct a Gap Assessment Against B-13 Principles
Begin by mapping your existing cyber risk management program to each of B-13's six principles. Identify gaps in governance documentation, control implementation, detection capabilities, incident response readiness, third-party risk processes, and recovery testing. This assessment should also review alignment with CCCS Baseline Controls, as B-13 directly references these as the expected control standard. The gap assessment provides the baseline for your compliance roadmap and helps prioritize remediation activities based on risk severity and regulatory timelines.
Establish Board Governance and Risk Appetite
Formalize board-level governance by documenting the board's oversight responsibilities, defining the Technology and Cyber Risk Management Program charter, and establishing clear cyber risk appetite statements. Provide board members with training on cyber risk fundamentals and develop reporting dashboards that translate technical metrics into business-relevant indicators. Ensure that the institution's overall risk appetite framework explicitly incorporates technology and cyber risk as a distinct category with defined thresholds and escalation triggers.
Implement Continuous Threat Detection and Monitoring
Deploy a SIEM platform with SOAR capabilities that provides real-time monitoring across all critical systems, networks, cloud environments, and third-party interfaces. Configure the platform to correlate alerts with threat intelligence from the CCCS and other reliable sources. Implement user behaviour analytics to detect anomalous activities that may indicate compromised accounts or insider threats. The ThreatHawk SIEM + SOAR solution is purpose-built to meet B-13's monitoring requirements while reducing alert fatigue through automated correlation and response.
Develop and Test Incident Response Plans
Create incident response plans for the most likely and most impactful cyber scenarios, including ransomware, data exfiltration, business email compromise, supply chain attack, and cloud service disruption. Establish clear escalation paths, communication protocols for internal stakeholders and regulators, and runbooks for containment, eradication, and recovery. Conduct tabletop exercises at least quarterly and full-scale simulations annually, documenting lessons learned and updating plans accordingly.
Build and Validate Recovery Capabilities
Define and document RTOs and RPOs for all critical business services and supporting systems. Implement backup strategies that protect against ransomware by maintaining immutable copies, air-gapped backups, and offline recovery media. Test recovery plans through actual failover exercises, including the restoration of entire applications and databases, not just file-level recovery. Document test results and address any failures or gaps immediately, updating recovery plans to reflect lessons learned.
Implement Third-Party Risk Management Program
Inventory all third-party relationships that involve technology services, data processing, or outsourced business functions. Classify vendors by criticality and inherent risk, and conduct due diligence assessments that include security questionnaires, penetration test results, financial stability reviews, and business continuity documentation. Embed cybersecurity requirements into all vendor contracts, including breach notification timelines, audit rights, and OSFI access provisions. Develop ongoing monitoring processes that include periodic reassessments, performance reviews, and incident tracking.
Streamline Your OSFI B-13 Compliance Journey
CyberSilo's Compliance Standards Automation solution reduces the time and complexity of B-13 compliance by automating control mapping, evidence collection, and reporting. Our team of Canadian cybersecurity professionals understands the unique requirements of OSFI-regulated environments and can accelerate your path to full compliance. Whether you are just beginning your B-13 journey or need to address specific gaps in monitoring, incident response, or third-party risk, we have the expertise and technology to help.
Our Conclusion & Recommendation
OSFI Guideline B-13 represents a fundamental shift in Canada's approach to financial sector cybersecurity, moving from voluntary guidance to enforceable regulatory requirements with clear governance, operational, and reporting expectations. For federally regulated financial institutions, compliance is not optional, and the full compliance deadline of Q4 2025 leaves limited time for organizations that have not yet completed their Technology and Cyber Risk Management Programs.
Our recommendation for CISOs and compliance leaders at FRFIs is to treat B-13 compliance as a strategic priority that requires investment in both technology and people. The six principles—governance, risk management, operational controls, threat detection, incident response, and recovery—form a comprehensive framework that, when properly implemented, will significantly strengthen an institution's cyber resilience. CyberSilo's ThreatHawk SIEM + SOAR platform, combined with our Compliance Standards Automation solution and dedicated Canada cybersecurity compliance services, provides the technology and expertise needed to meet B-13 requirements efficiently while also addressing overlapping obligations under PIPEDA, Quebec Law 25, and other Canadian regulatory frameworks.
The most successful FRFIs will not view B-13 as a checkbox exercise but as an opportunity to build a mature, resilient cyber risk management program that protects their institution, their customers, and the broader Canadian financial system. Start your gap assessment today, prioritize the highest-impact controls, and engage experienced partners to accelerate your compliance timeline.
Ready to Achieve OSFI B-13 Compliance?
Contact CyberSilo today to schedule a compliance assessment and learn how our ThreatHawk SIEM + SOAR platform and Compliance Standards Automation solution can help your FRFI meet OSFI B-13 requirements with confidence.
