On September 15, 2020, the Office of the Superintendent of Financial Institutions ("OSFI") released the discussion paper "Developing Financial Sector Resilience in a Digital World". This document is one product of OSFI's 2019-22 strategic initiative to develop more modern and effective approaches to non-financial risks, such as those posed by cyber crime, artificial intelligence and cloud computing, among others. As OSFI notes, while the COVID-19 pandemic did not prompt the strategic initiative, it has "highlighted the need for resilient technology infrastructures" and will "provide important lessons" for the future.
The paper is aimed at generating discussion and thus does not announce any firm proposals. It includes 18 consultation questions, responses to which will be accepted until December 15, 2020.
Outline of the Discussion Paper
In addition to a general discussion of technology risk, the Discussion Paper surveys three major types of risk as they relate to Federally Regulated Financial Institutions ("FRFIs"):
- Cyber security risk;
- Risk related to AI and machine learning (including advanced analytics); and
- Risk related to third-party ecosystems (including outsourcing).
The Discussion Paper identifies core principles relevant to each of these "priority risk areas", around which concrete risk-management plans can be developed. It also refers to data management risk and to the impact of changes to Canadian privacy legislation.
Understanding Technology Risk
Defining technology risk
The Discussion Paper defines "technology risk" as follows:
The risk arising from the inadequacy, misuse, disruption or failure of information technology systems, infrastructure or data to meet business needs.
Sub-risks include cyber risks, in addition to risks surrounding configuration, incident response and project management. Technology risk is linked to other risks, such as reputation risk and the risk of financial loss from lost business.
Risk management vs. resilience
Within the financial industry, existing standards and practices generally consider technology risk within the broader framework of operational risk management. OSFI's existing Guideline E-21 takes this approach by applying Operational Risk Management ("ORM") best practices to FRFIs.
More recently, however, OSFI and other regulators have shifted some of their focus from ORM to the slightly different concept of "operational resilience" ("OR"). While there is some overlap, the difference between the two concepts is that ORM is process-based and focused on avoiding adverse events, while OR (which was the subject of a recent consultative document by the Basel Committee on Banking) is outcomes-based and more accepting of the inevitability of adverse events – focusing less on their avoidance and more on being prepared to recover from them.
Furthermore, as the Discussion Paper observes, "traditional business continuity risk management ... does not sufficiently capture the breadth of dependencies across the business" and does not focus enough on creating a resilient corporate culture that is able to recover from unexpected disruptions to operations. While the business continuity plans of Canada's FRFIs have responded well to the COVID-19 crisis, OSFI notes that the pandemic is providing many lessons about achieving operational resilience.
Principles Governing Technology-related Risk
Currently, OSFI does not endorse any particular risk-management framework for the management of information and communications technology ("ICT") systems. The discussion paper and public comment process will help OSFI determine whether additional regulatory guidance would increase FRFIs' risk-resilience and, if so, what form such guidance should take.
The Discussion Paper reiterates OSFI's general preference for a principles-based approach, with the proviso that it will also issue prescriptive rules when specific risk situations require them. With respect to technology-related risk, OSFI has identified three "priority areas" – cyber security, advanced analytics and the third-party ecosystem (including outsourcing) – each of which has three "core principles".
The core principles of cyber security are the "CIA" principles: confidentiality, integrity and availability.
While OSFI's 2013 "Cyber Security Self-Assessment Guidance" continues to apply, OSFI intends to supplement that Guidance with additional supervisory tools that respond to the frequent new developments in this area, including OSFI's:
- Intelligence Bulletin series, published since August 2019 and offering insights into recently detected threats; and
- Technology Risk Bulletin series, published several times per year, focusing on technology topics of interest to FRFIs and their risk-management teams.
Other initiatives include greater coordination between OSFI and other regulators, as well as "quantum readiness", i.e. preparation for the increased power of cyber attacks that may be launched via the new generation of quantum computers.
The core principles of advanced analytics are soundness, explainability and accountability.
Advanced analytics, which encompasses artificial intelligence ("AI") and machine learning ("ML"), creates both opportunities and risks for FRFIs. The primary risk identified in the Discussion Paper is what OSFI describes as "AI/ML model risk" – essentially, the risk that results from the application of faulty modelling to decision-making. OSFI does not currently deal with this type of risk in a single document.
In addition to looking at initiatives in other jurisdictions, OSFI recently surveyed FRFIs about their use of AI/ML to generate models – a process that identified a number of associated risks, including:
- Data governance, quality, security, bias and privacy; and
- Reputational, operational, cyber security and third-party risks.
In response, OSFI is considering how best to incorporate the principles of model soundness, explainability and accountability into its existing regulatory guidance. Enhanced guidance may address data governance, model development and validation, auditability and fairness/non-discrimination, among other issues.
Third-party ecosystem / outsourcing
The core principles relating to the third-party ecosystem are transparency, reliability and substitutability.
As the Discussion Paper notes, the business of most FRFIs involves and depends on outsourcing and similar arrangements with third-party service providers. OSFI Guideline B-10 sets out OSFI's expectations with respect to outsourcing by FRFIs. While many of the principles in Guideline B-10 remain valid, its text was last updated in 2009, and OSFI is accordingly planning a consultation process with respect to possible changes. Issues to be considered include:
- Cloud computing;
- Cloud adoption and risk management; and
- Broader policy issues concerning dominant cloud service providers ("CSPs").
Generally speaking, the cloud computing issues that most concern OSFI include migration management, legal contract development, insufficient understanding of risks and threats, overreliance on the CSP and (more broadly) the significant market influence of the dominant CSPs, even as regards entities as large as major Canadian banks.
In addition, OSFI is also monitoring the relationships between FRFIs and FinTech companies. Recent legislative amendments have given FRFIs greater flexibility in this area, a development that the Discussion Paper recognizes as creating both opportunity and risk (notably risk related to cyber security and data management).
Finally, OSFI notes the importance of keeping the Canadian regulatory framework up to date and responsive to new challenges in data management. Data now moves at a speed and scale that was once unimaginable, creating not only cyber security concerns but also subtler risks relating to difficulties in aggregating risk exposures so as to be able to recognize entity-wide risk concentrations.
Specific developments referred to in the Discussion Paper include the May 2019 launch of Canada's Digital Charter and the federal government's concurrent proposal to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) to enhance Canadians' control of their personal information. These initiatives suggest that consumer data collection and management will be an increasingly significant compliance issue for FRFIs going forward.
Going Forward: Participating in the Process
The Discussion Paper includes 18 questions that stakeholders are invited to consider and respond to. Examples of questions include:
- What factors influence the degree of financial loss exposure that may be generated by technology-related risks? (Question 3)
- What are your views on OSFI's proposed definition and scope for technology risk? (Question 4)
- Beyond cyber security considerations, how should quantum computing be managed, as an emerging risk, in the context of broader technology lifecycle management? (Question 8)
- Do the proposed principles for technology third party risk management adequately capture both current and emerging risks? What additional principles would you propose? (Question 13)
- Do you believe that additional, specific regulatory guidance on cloud risk management is warranted? If so, what elements should it address? (Question 15)
The deadline for responding is December 15, 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.