Navigating the New Era of Regulations
Canada is demanding its banks strengthen their cybersecurity.
In response to what they are calling, “an environment that has created an urgency for enhanced regulatory guidance,” The Office of the Superintendent of Financial Institutions (OSFI) is taking decisive action to enhance cybersecurity within the banking and finance sector.
The new directives, which take effect January 1, 2024, require Federally Regulated Financial Institutions (FRFIs) to improve their cyber risk management from.
In this blog, we delve into the upcoming changes to Canada’s cybersecurity policy, explore the motives behind these guidelines, and discuss the key elements of the recently introduced Guideline B-13. We will also tell CISOs what they need to know about OSFI’s newly released Intelligence-Led Cyber Resilience Testing (I-CRT) framework.
The Urgency for Enhanced Canadian Cybersecurity
The need for improved cybersecurity practices in the Canadian financial sector is underscored by several high-profile cyber-attacks. In 2018, Bank of Montreal (BMO) experienced one of the largest financial breaches in the country’s history. In two waves of activity, criminals managed to obtain private information from 113,000 customer accounts. By exploiting a vulnerability in Bank of Monteal’s online banking application, attackers successfully breached security safeguards, gaining control over individual online accounts and obtaining sensitive personal information associated with those accounts. The threat actors demanded a ransom of 1 million dollars, which the bank refused to pay. Consequently, the threat actors published details of 3,000 users online. A report from The Office of the Privacy Commissioner of Canada, blamed a lack of proper application and network monitoring, and said the initial wave of data thefts could have been detected. Unfortunately, the bank also lacked a comprehensive defense against automated attacks by bots, leaving them vulnerable to the second wave of the breach.
These breaches proved costly for BMO, as they were ordered by a court to allocate more than 23 million dollars in compensation for the victims. The impact was not only financial but also to reputation as the attack eroded trust in BMO and raised concerns among customers.
Another prominent incident occurred in 2019, when Desjardins Financial Services Firm discovered a breach that had gone unnoticed for nearly two years. This breach, carried out by a rogue employee, affected nearly 10 million Canadians. Desjardins eventually paid over 200 million dollars to settle a class action lawsuit brought by customers affected by the breach.
Such attacks are becoming pervasive in Canada. According to CyberEdge Group’s 2023 Cyberthreat Defense Report, 62.5% of all Canadian companies fell victim to some form of ransomware attack in the previous 12 months.
Understanding the New Guideline B-13
Guideline B-13, published in July 2022 last year, establishes OSFI’s expectations for technology and cyber risk management within FRFIs. This guideline, applicable to the over 400 FRFIs and an additional 1,200 pension funds, aims to enhance institutions’ resilience to technology and cyber risks, ultimately improving their overall cybersecurity posture. It encompasses three crucial domains: Governance and Risk Management, Technology Operations and Resilience, and Cybersecurity.
Specifically in the realm of cybersecurity, OSFI encourages FRFIs to, “maintain a range of practices, capabilities, processes and tools to identify and assess cyber security for weaknesses that could be exploited by external and insider threat actors.”
To comply with B-13, financial institutions are expected to identify and assess security risks, conduct threat assessments, and rank vulnerabilities. They must adopt secure-by-design practices, continuous threat monitoring, and implement multiple layers of cybersecurity control and detection capabilities in order to identify malicious and unauthorized activity. Finally, financial institutions should have robust incident response capabilities.
The I-CRT Framework: An Intelligence-Led Approach
Building upon Guideline B-13, OSFI in April 2023 released the Intelligence-Led Cyber Resilience Testing (I-CRT) framework. This framework presents a recommended methodology for conducting controlled threat assessments, specifically targeting systemically important banks (SIBs) and internationally active insurance groups (IAIGs). I-CRT combines targeted threat intelligence with advanced tools, techniques, and procedures, aligning with the evolving threat landscape posed by sophisticated actors. The difference between I-CRT testing and traditional pentesting lies in the approach and focus. I-CRT is an intelligence-led cyber resilience assessment that incorporates targeted threat intelligence and simulates sophisticated threat actor tactics, techniques, and procedures. It evaluates a FRFI’s cyber resilience, identifies gaps or weaknesses, and enables the FRFI to take informed remedial actions aligned with its business objectives and risk appetite. Traditional pentesting, on the other hand, primarily aims to identify known vulnerabilities using standard techniques without the same level of intelligence-driven assessment.
The I-CRT assessment follows a comprehensive methodology that evaluates an FRFI’s cyber-resilience posture, identifies cyber threats, and suggests remedial actions. It consists of four key phases: Initiation, Threat Intelligence, Execution, and Closure.
A key element of the I-CRT testing process is an independent Red Team Service Provider (RTP). The role of the RTP is to design and execute a Red Team Test (RTT) plan, execute the plan, provide updates to the client during the assessment and deliver comprehensive reports to both the client and OSFI summarizing the results.
Choosing the right Red Team Service Provider (RTP)
Here are three important considerations when choosing an RTP:
- Expertise and Experience: Look for an RTP with a proven track record in nation-state grade level cybersecurity testing and red teaming. They must also possess the necessary technical expertise and knowledge of the latest threats and vulnerabilities in the financial industry.
- Methodology and Approach: Evaluate the RTP’s methodology and approach to red teaming. They should follow a comprehensive and systematic testing process that mimics real-world attack scenarios. This includes conducting thorough reconnaissance, identifying vulnerabilities, exploiting weaknesses, and providing actionable recommendations to strengthen the institution’s defenses.
- Reporting and Collaboration: Consider the RTP’s reporting capabilities and their ability to collaborate effectively with your financial institution. The RTP will need to provide detailed reports that highlight the findings, identify vulnerabilities, and recommend remediation steps. Additionally, they should be able to work closely with the institution’s internal teams, sharing insights and knowledge to improve overall cybersecurity readiness.
Choosing the right RTP is critical to ensure that the financial institution receives a comprehensive and effective assessment of its cybersecurity controls. By considering the expertise, methodology, and collaboration capabilities of the RTP, the institution can make informed decisions to enhance its security measures and protect against potential cyber threats.
HolistiCyber is your Best Choice for A Red Team Provider
Let’s start a conversation today about how our experts can work with you as your RTP to help your financial institution get compliant with the B-13 Guidelines. HolistiCyber has put together a special program specifically designed to assist Canadian financial institutions needing assistance with I-CRT testing.