← Frameworks / Regulatory

OSFI Guideline B-13 Technology and Cyber Risk Management

Canadian federal prudential guideline for technology and cyber risk management at federally regulated financial institutions. Covers 4 domains: governance and risk management, technology operations and resilience, cyber security (identify/defend/detect/respond), and third-party technology risk including cloud-specific considerations.

Clauses: 17

Avg Coverage: 78.1%

Publisher: Office of the Superintendent of Financial Institutions (OSFI) Version: 2024

OSFI B-13 → SP 800-53 SP 800-53 → OSFI B-13 Coverage Analysis

Clause	Title	SP 800-53 Controls
B-13.1.1	Technology and cyber risk governance, accountability, and culture	AC-05 AT-01 AT-02 AT-03 AT-04 AT-05 PL-04 PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07 PS-08 PS-09 AT-06
B-13.1.2	Technology and cyber risk strategy	PL-01 PL-02 PL-03 PL-06 SA-02 PL-09 PL-10 PL-11
B-13.1.3	Technology and cyber risk management framework	AC-01 AU-01 CA-01 CA-02 CA-04 CA-05 CA-06 CA-07 IA-01 PL-01 PL-02 PL-03 PL-05 PT-01 PT-02 PT-03 RA-01 RA-02 RA-03 RA-04 SC-01 SI-01 RA-07 RA-08 RA-09 PL-09
B-13.1.4	Technology and cyber risk reporting	CA-05 IR-06 RA-04 RA-07
B-13.2.1	Technology asset management	CM-08 PE-16 SA-03 CM-12 CM-13
B-13.2.2	Technology architecture and standards	CA-03 CM-01 CM-02 CM-06 CM-07 SA-01 SA-03 SA-05 SA-06 SA-07 SA-08 SC-02 SC-03 SC-22 CM-14 SA-23
B-13.2.3	Technology change management	CM-01 CM-03 CM-04 CM-05 MA-01 MA-02 MA-03 MA-04 MA-05 MA-06 SA-01 SA-04 SA-10 CM-14
B-13.2.4	Technology vulnerability and patch management	MA-06 RA-05 SI-01 SI-02 SI-05 RA-07
B-13.2.5	Technology incident management	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-09
B-13.2.6	Technology resilience and disaster recovery	CP-01 CP-02 CP-03 CP-04 CP-05 CP-06 CP-07 CP-08 CP-09 CP-10 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-17 PE-18 SC-05 SC-06 SC-24 SI-17
B-13.3.1	Cyber risk identification and assessment	CM-08 RA-02 RA-03 RA-05 RA-09 RA-07
B-13.3.2	Cyber security controls	AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 AC-07 AC-08 AC-09 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-20 AU-09 CA-03 CM-05 CM-06 CM-07 IA-01 IA-02 IA-03 IA-04 IA-05 IA-06 IA-07 MA-04 MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-07 PE-08 PE-17 PE-19 PS-04 PS-05 PT-01 PT-07 SA-07 SA-08 SA-10 SA-11 SC-01 SC-02 SC-03 SC-04 SC-05 SC-07 SC-08 SC-09 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-20 SC-21 SC-22 SC-23 SI-03 SI-07 SI-08 SI-09 SI-10 SI-11 SI-12 SC-41 SI-16 SC-44
B-13.3.3	Cyber security monitoring and detection	AC-13 AT-05 AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 CA-07 CM-04 IR-05 PE-06 PE-08 SI-03 SI-04 SI-05 SI-06 SI-07 SI-08 SC-45 SC-42
B-13.3.4	Cyber incident response	CP-10 IR-01 IR-02 IR-03 IR-04 IR-06 IR-07 IR-09
B-13.3.5	Cyber security testing	CA-02 CA-04 CP-04 IR-03 SA-11 SI-06 RA-09
B-13.4.1	Third-party technology risk management	AC-20 MA-05 PS-07 SA-04 SA-09 SR-01 SR-02 SR-03 SR-04 SR-05 SR-06 SR-07 SR-08 SR-09 SR-10 SR-11 SR-12 SA-21
B-13.4.2	Third-party technology risk oversight and monitoring	SA-09 CA-07 CA-09