OSFI's Guideline B-13 is the primary technology and cyber risk management standard for federally regulated banks, trust companies, life insurers, and property & casualty insurers in Canada. Non-compliance is identified during OSFI examinations and can result in supervisory intervention. ThreeShield delivers B-13 gap assessments and governance frameworks backed by Lavawall® continuous monitoring.
OSFI's Guideline B-13: Technology and Cyber Risk Management sets out the Office of the Superintendent of Financial Institutions' expectations for how federally regulated financial institutions (FRFIs) manage technology risk and cyber risk. Effective January 1, 2022, B-13 replaced earlier OSFI guidance and significantly raised the bar for technology governance, cyber resilience, and third-party risk management.
B-13 applies to all FRFIs - banks, federally regulated trust and loan companies, life insurance companies, property and casualty insurance companies, and fraternal benefit societies. Non-compliance is assessed during OSFI's regular supervisory examination cycle and can result in supervisory letters, increased examination intensity, and in serious cases, formal intervention.
OSFI B-13 is organized around three interconnected domains, each with specific outcomes OSFI expects FRFIs to achieve.
Board and senior management oversight of technology and cyber risk. Defined roles (CISO or equivalent), risk appetite statement for technology risk, and integration of technology risk into the enterprise risk management framework. OSFI expects demonstrable board engagement - not delegation to IT.
Formal technology risk assessment processes, risk tolerance thresholds, risk acceptance procedures, and integration of technology risk metrics into management reporting. Technology risk must be managed with the same rigour as credit or market risk.
Reliable, secure technology infrastructure. Asset lifecycle management, change management, patch and vulnerability management, capacity planning, and backup and recovery - all monitored continuously. Lavawall® addresses patch compliance and vulnerability management components directly.
Risk-based cybersecurity program covering identity and access management, network security, data protection, security monitoring, and incident management. OSFI expects evidence of continuous monitoring - not point-in-time assessments.
Due diligence on technology vendors and cloud service providers. Contractual security requirements, ongoing monitoring, and exit strategies for critical technology dependencies. Aligns with Bill C-8 CCSPA supply chain requirements for designated operators.
Documented and tested incident response and recovery plans. OSFI expects institutions to demonstrate they can detect, contain, and recover from significant cyber incidents with defined Recovery Time Objectives (RTOs). 72-hour incident reporting to OSFI for significant events.
Federally regulated financial institutions that are designated operators under Bill C-8 face obligations under both B-13 and the CCSPA simultaneously. The good news: the programs are complementary. A B-13-compliant institution has most of what a C-8 cybersecurity program requires. ThreeShield maps both frameworks and builds programs that satisfy both without duplication.
| B-13 Requirement | Lavawall® Automated | ThreeShield Expert Layer |
|---|---|---|
| Continuous security monitoring | ✓ 24/7 across endpoints, cloud, M365 | - |
| Patch and vulnerability management | ✓ 7,533+ apps, automated reporting | - |
| Identity and access management monitoring | ✓ Entra ID / M365 / AWS | IAM policy review |
| Third-party risk monitoring | ⚑ Vendor exposure monitoring | Formal vendor assessment methodology |
| Cyber risk assessment | ⚑ Risk scoring data | CISSP/CISA formal B-13 risk assessment |
| Incident response and 72-hr OSFI reporting | ⚑ Detection and alerting | IR plan with OSFI notification workflow |
| Technology risk governance documentation | - | ThreeShield develops governance framework |
| Board reporting on technology risk | ⚑ Automated dashboards | Board-ready reporting templates |
For FRFIs with internal security teams needing continuous monitoring and evidence collection for B-13 examinations
CISSP/CISA expert guidance alongside your internal team
Complete B-13 compliance program delivered by ThreeShield
Banks designated under Bill C-8 face both B-13 and CCSPA obligations simultaneously. OSFI is the sector regulator under Bill C-8 for the banking sector. A bank's B-13 cybersecurity program provides a strong foundation for C-8 compliance - the risk assessment, incident response, and third-party risk management requirements are substantially aligned. ThreeShield maps both and builds a single program that satisfies both, eliminating duplicate effort.
B-13 applies to federally regulated financial institutions - those incorporated or registered under federal legislation. Provincial credit unions (regulated by BCFSA, FSRA, DICO, etc.) are not directly subject to B-13, though they face analogous expectations from their provincial regulators. For BC credit unions, see our BCFSA page. For Ontario credit unions, FSRA has its own cyber expectations.
OSFI's examination cycle varies by institution size and risk profile - typically every 1-3 years for most FRFIs, with larger systemic institutions examined more frequently. Technology and cyber risk is now a standard examination area, not an occasional focus. Organizations should maintain B-13 compliance continuously, not only in the months before an expected examination.
ThreeShield delivers OSFI B-13 gap assessments that identify exactly where you stand against all three domains - with Lavawall® providing the continuous monitoring evidence OSFI expects to see.
Book a B-13 Gap AssessmentAlso covers Bill C-8 CCSPA · PIPEDA/C-27 · CIRO Cybersecurity Guidance