OSFI Cyber Security Self-Assessment Guidance - Is Your Bank At Risk?

Posted by Mikki Ware on April 3, 2015


In February 2011, the Canadian government was attacked by foreign hackers using IP addresses from China. The hackers infiltrated Defense Research and Development Canada, a move that forced the Finance Department and Treasury Board to shut down internet access - but not before the hackers accessed highly classified federal information. While we may cheer the lovable anti-hero hackers in the movies, cyber attacks on the financial industry pose real-world threats. With that in mind, the OSFI (Office of the Superintendent of Financial institutions) released the Cyber Security Self-Assessment Guidance for federally regulated financial institutions (FRFI’s) in November, 2013.

Charged with the regulation and supervision of all Canadian banks, the OSFI does not have any on-point legislation about social media use, but rather is concerned with cyber security and threats from all sources. What are the risks, and does your organization have the tools and strategy to fend off a cyber attack?

Data Leaks

Much like the 2011 attack, hackers are using sophisticated and undetectable methods to harvest sensitive data. The Canadian Security Intelligence Services notes that “the use of crafted e-mails, social networking services and other means and techniques to facilitate efforts of various hostile actors to acquire government, corporate or personal data” is becoming more common, but harder to detect. In fact, the 2011 attack came as a result of a “phishing” scheme, a method that includes sending innocuous looking emails with infected attachments that allow hackers to harvest sensitive data.

One of the OSFI guidance criteria assesses threat and vulnerability risk management. The FRFI can determine whether it has implemented tools to prevent data leaks, monitor outgoing high risk traffic, and safeguard data on devices (including mobile devices, laptops, and external drives). This criterion also includes the implementation of security tools such as firewalls, anti-virus and anti-malware, anti-spam, and DDoS (denial of service) protection.


Since the sole purpose of most cyber attacks is to access sensitive information, a financial institution risks being in breach of compliance and privacy regulations.

The OSFI guidance template includes criteria for risk assessment processes, as well as cyber security management, threat intelligence, and incident response.

FRFI’s looking to leverage social media will also need to consider tools for archiving, approving, and filtering posts to social networks.

User Error

According to Forbes, 67% of enterprise tablet users are remote workers and 63% of cell phone owners use their device to go online.

The OSFI guidance outlines criteria for financial institutions to assess their awareness of all devices, users, applications, including hardware and software, and network data.

Ready to get started assessing your cyber security risk? Print the template here.


Read More Articles Like This

Beyond the Breach: Cybersecurity and Social Media
Updated Social Media Guidance from the FFIEC: Is Your Bank Still Compliant?
SEC Update: 6 Ways For FinServ To Safely Use Social Media

Topics: banks, Canada, compliance, ofsi, regulation, Social Media for Banking

Subscribe to the Gremlin Social Blog

Recent Posts