OSFI Guideline B-13 — Technology & Cyber Risk Management · vOSFI Guideline B-13 — Techn…
OSFI Guideline B-13 — Technology & Cyber Risk Management
OSFI Guideline B-13 — Technology & Cyber Risk Management — 100% covered.
4 requirements · 4 enforced · 0 designed · 0 advisory · 0 deferred.
Source: Office of the Superintendent of Financial Institutions, Guideline B-13 Technology and Cyber Risk Management (effective 1 January 2024). Three domains: governance and risk management (Domain 1), technology operations and resilience (Domain 2), cyber security (Domain 3) — including the technology-asset register, secure-by-design, monitoring and detection, and incident management.
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| Governance + risk management (Domain 1) | 1 | 1 | 0 | 0 | 0 | 100% |
| Technology operations + resilience (Domain 2) | 2 | 2 | 0 | 0 | 0 | 100% |
| Cyber security — monitoring + incident (Domain 3) | 1 | 1 | 0 | 0 | 0 | 100% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
osfi-b-13.d1 |
Domain 1 — Governance and risk management: maintain a technology and cyber risk-management framework with clear accountability, a risk appetite, and senior-management oversight | enforced | audit_events: kye.assurance.risk_assessment.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/12-PURPOSE-PERMISSION.md |
osfi-b-13.d2-asset-register |
Domain 2 — Technology asset management: maintain a current inventory of technology assets and their interdependencies, classified by criticality | enforced | audit_events: kye.risk.authority_register.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/51-NO-SPOF.md |
osfi-b-13.d2-resilience |
Domain 2 — Technology resilience: design and operate technology to recover within tolerance and maintain critical operations during a disruption | enforced | audit_events: kye.resilience.signal.v1, kye.replay.proof.v1engines: internal, internalconstitution_refs: constitution/25-EDGE-GOVERNANCE.md, constitution/51-NO-SPOF.md |
osfi-b-13.d3 |
Domain 3 — Cyber security: continuously monitor and detect cyber threats and manage cyber incidents, including timely reporting | enforced | audit_events: kye.signal.incident.opened.v1, kye.evidence.tool_call.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/35-STREAMING-LOGS.md |