Canada’s financial regulator is urging the country’s biggest banks and insurance companies to perform a new controlled threat assessment of their cyber resilience every three years with independent penetration testers.
The recommendation for the assessment, called Intelligence-Led Cyber Resilience Testing (I-CRT), was announced today in new guidance from the Office of the Superintendent of Financial Institutions (OSFI) to help banks and insurers identify areas where they could be vulnerable to sophisticated cyber-attacks.
The OSFI supervises more than 400 federally regulated financial institutions and 1,200 pension plans, but the I-CRT framework is only being applied to major institutions.
The I-CRT approach, first developed by the Bank of England, is used globally by regulators to enhance financial institutions’ technology and cyber resilience against sophisticated attacks, the regulator said.
All federally-regulated financial institutions are expected to practice effective risk management and assess their level of cyber preparedness. That may include doing traditional penetration testing (looking for vulnerabilities) and establishing a red team that specializes in testing the reactions of systems and employees.
An I-CRT test is wider than a red team test in that it assesses critical business functions. These are functions that, if disrupted, could have an impact on the financial stability of a company and its resilience, safety or soundness.