osfi guidelines adopted by alberta · the superintendent uses a variety of measures to evaluate...
TRANSCRIPT
ALBERTA SUPERINTENDENT OF INSURANCE Alberta Treasury Board and Finance, Financial Sector Regulation and Policy
402 Terrace Building, 9515 107 Street, Edmonton, Alberta T5K 2C3
Email: [email protected]
Website: insurance.alberta.ca
Phone: 780-643-2237
Fax: 780-420-0742
Note: for toll-free service in Alberta, call 310-0000, then enter the number.
Alberta Superintendent of Insurance
OSFI Guidelines adopted by Alberta Last updated: January 8, 2019
OSFI Guidelines adopted and issued by the Superintendent of Insurance for Provincially Regulated Insurance Entities
In accordance with section 792.1 of the Insurance Act, the Superintendent of Insurance has adopted and issued the following Guidelines of the Office of the Superintendent of Financial Institutions (OSFI Guidelines), including future revisions, for these entities (collectively known as “provincially regulated insurance entities”):
provincially incorporated Property and Casualty Insurers, Life Insurers and Reciprocal
Insurance Exchanges, either formed under the Insurance Act, or who have transferred to
Alberta such that Alberta is their primary regulator.
Apart from differences due to law and unless otherwise stated, the Superintendent of Insurance has adopted and issued these Guidelines, including revisions thereto, in full. The Superintendent intends to apply the OSFI Guidelines with appropriate discretion having regard to the size, risk, complexity and structure of each provincially regulated insurance entity. The Superintendent of Insurance may, with appropriate discretion, require extra-provincial incorporated entities licensed to operate in Alberta to comply with the OSFI Guidelines.
The links on the following pages will open specific guidelines on OSFI’s website. The Alberta
Superintendent of Insurance has also issued supplementary information (see the Appendix),
and related Interpretation Bulletins (see the Information for Insurers web page).
Guidelines Index Page
Capital Adequacy Requirements .............................................................................................. 2
Prudential Limits and Restrictions ............................................................................................ 3
Accounting and Disclosure ....................................................................................................... 4
Sound Business and Financial Practices................................................................................... 5
Appendix: Supplementary information issued by the Superintendent of Insurance .................... 7
- 2 -
Line No.
Ref. OSFI Guideline Name Date Adopted
by Alberta
Applicable to:
Life Insurance
Companies
P&C Insurance
Companies
Reciprocals
Click here to access all OSFI Guidelines.
Capital Adequacy Requirements
1 A Minimum Continuing Capital and Surplus Requirements
(MCCSR)
Life Insurance Capital Adequacy Test (LICAT):
- Effective January 1, 2019 - Effective January 1, 2018
See also: LICAT Public
Disclosure Requirements
November 2014
X
2 A Minimum Capital Test (MCT): - Effective January 1, 2019 - Effective January 1, 2018
November 2014
X X
3 A-4 Regulatory Capital and Internal Capital Targets
January 2018 X X X
See also:
A and A-4
See Appendix for supplementary information from the Superintendent of Insurance issued on December 9, 2014: Supplement to MCT, MCCSR, and A-4 Guidelines and Reserve & Guarantee Fund
Back to Guidelines Index
- 3 -
Line No.
Ref. OSFI Guideline Name Date Adopted
by Alberta
Applicable to:
Life Insurance
Companies
P&C Insurance
Companies
Reciprocals
Click here to access all OSFI Guidelines.
Prudential Limits and Restrictions
4 B-1 Prudent Person Approach
and see the Appendix for:
Alberta Statutory Investment and Lending Limits for Provincially Regulated
Insurance Entities (September 30, 2013)
March 2013 X X X
5 B-4 Securities Lending - Life
March 2013 X
6 B-4 Securities Lending - P&C
March 2013 X X
7 B-5 Asset Securitization
November 2018
X X
8 B-7 Derivatives Best Practices
March 2013 X X
9 B-9 Earthquake Exposure Sound Practices
March 2013 X X
10 B-11 Pledging
March 2013 X X X
11 E-2 Commercial Lending Criteria
March 2013 X
Back to Guidelines Index
- 4 -
Line No.
Ref. OSFI Guideline Name Date Adopted
by Alberta
Applicable to:
Life Insurance
Companies
P&C Insurance
Companies
Reciprocals
Click here to access all OSFI Guidelines.
Accounting and Disclosure
12 n/a Life Insurance Capital Adequacy Test (LICAT)
Public Disclosure Requirements
April 2018 X
13 n/a IFRS 9 - Financial Instruments and Disclosures
July 2016 X X X
14 C-1 Impairment - Sound Credit Risk Assessment and Valuation
Practices for Financial Instruments at Amortized Cost
March 2013 X X X
15 D-1A Annual Disclosures (Life Insurance Enterprises)
March 2013 X
16 D-1B Annual Disclosures (P&C Insurance Enterprises)
March 2013 X X
17 D-5 Accounting for Structured Settlements
March 2013 X
18 D-9 Source of Earnings Disclosure (Life Insurance Companies)
March 2013 X
19 D-10 Accounting for Financial Instruments Designated as
Fair Value Option
March 2013 X X X
Back to Guidelines Index
- 5 -
Line No.
Ref. OSFI Guideline Name Date Adopted
by Alberta
Applicable to:
Life Insurance
Companies
P&C Insurance
Companies
Reciprocals
Click here to access all OSFI Guidelines.
Sound Business and Financial Practices
20 n/a Corporate Governance Guideline
March 2013 X X X
21 B-3 Sound Reinsurance Practices and Procedures
March 2013 X X X
22 B-8 Deterring and Detecting Money Laundering and
Terrorist Financing
March 2013 X
23 B-10 Outsourcing of Business Activities, Functions and
Processes
March 2013 X X X
24 B-20 Residential Mortgage Underwriting Practices and
Procedures
March 2013 X X
25 E-5 Retention/Destruction of Records
March 2013 X
26 E-13 Regulatory Compliance Management Guideline
March 2013 X X X
27 E-14 Role of the Independent Actuary
March 2013 X
28 E-15 Appointed Actuary: Legal Requirements, Qualifications
and Peer Review
March 2013 X X X
29 E-17 Background Checks on Directors
and Senior Management
March 2013 X X X
30 E-18 Stress Testing
March 2013 X X X
(Sound Business and Financial Practices Guidelines continued on next page)
- 6 -
Line No.
Ref. OSFI Guideline Name Date Adopted
by Alberta
Applicable to:
Life Insurance
Companies
P&C Insurance
Companies
Reciprocals
31 E-19 Own Risk and Solvency Assessment (ORSA)
See also: ORSA Key Metrics: - P&C Insurers Report Form - Life Insurers Report Form
and see Appendix for:
Supplement to ORSA Guideline effective January 1, 2014
December 2013
X X X
32 E-21 Operational Risk Management
See also: Self-Assessment Template
(Excel) and Instructions (pdf)
July 2016 X X X
33 n/a See Appendix for:
Supplement: Cyber Security Guidance
and
Cyber Security Self-Assessment Guidance effective July 19, 2016
July 2016 X X X
Back to Guidelines Index
Note: See the Appendix for Supplementary information issued by the Superintendent of Insurance.
Contact Information and Useful Links
Contact the Alberta Superintendent of Insurance:
Email: [email protected]
Visit our website: insurance.alberta.ca
Subscribe to receive email updates:
insurance.alberta.ca/subscribe.html
- 7 -
APPENDIX – SUPPLEMENTARY INFORMATION
ISSUED BY THE SUPERINTENDENT OF INSURANCE
Financial Sector Regulation and Policy Superintendent of Insurance Room 402, Terrace Building 9515 – 107 Street Edmonton, Alberta, Canada T5K 2C3 Telephone: 780-415-6496 Fax: 780-420-0752 www.finance.alberta.ca
December 9, 2014
To All Insurance Entities Supervised by the Alberta Superintendent of Insurance (“Superintendent”), including (collectively defined as “Provincially Regulated Insurance Entities”):
Provincially Incorporated Property & Casualty Insurance Companies;
Provincially Incorporated Life Insurance Companies;
Reciprocal Insurance Exchanges either formed under the Insurance Act or who have transferred to Alberta such that Alberta is their primary regulator; and
Applicable Exempt Entities. The Superintendent uses a variety of measures to evaluate capital. All Provincially Regulated Insurance Entities are required to maintain the applicable minimum capital requirements of the Superintendent, which is generally the Minimum Capital Test (“MCT”) or Minimum Continuing Capital and Surplus Requirements (“MCCSR”) ratio of 150%. The exception is for Reciprocal Insurance Exchanges, where the primary legislative requirement is the Reserve and Guarantee Fund (“R&G”) as defined in sections 99 and 100 of the Insurance Act. In these circumstances, the Superintendent monitors the expected minimum requirements for both the MCT and the R&G.
In addition to the minimum capital requirement, the Superintendent establishes a supervisory target capital ratio (“Supervisory Target”) that provides a cushion above the minimum requirement and facilitates the Superintendent’s early intervention process. The Supervisory Target provides additional capacity to absorb unexpected losses and addresses capital needs through on-going market access. This target considers the entity’s size, risk, complexity, and structure and is communicated to each entity, on an individual basis.
Furthermore, the Superintendent expects the Provincially Regulated Insurance Entities to establish an internal target capital ratio (“Internal Target”) per Guideline A-4 Regulatory Capital and Internal Capital Targets, and maintain on-going capital, above this target on a continuous basis.
Provincially Regulated Insurance Entities are required to inform the Superintendent immediately if they anticipate falling below their Internal Target, which must include a detailed outline of their plans to return to their internal target for the Superintendent’s supervisory approval. The Superintendent will consider any unusual conditions in the
A and A-4: Supplement to MCT, MCSSR
and A-4 Guidelines and Reserve and
Guarantee Fund
market environment when evaluating the entity’s performance against their Internal Target.
Should you have any questions about the Superintendent’s minimum or supervisory capital requirements, or the expectations surrounding the establishment of an internal target or reporting given a breach in this target, please contact us directly by telephone at 780-415-6496 or by e-mail to [email protected].
Sincerely,
[ORIGINAL SIGNED]
Prudential Supervision
2 | P a g e
STATUTORY INVESTMENT AND LENDING LIMITS FOR PROVINCIALLY REGULATED INSURANCE ENTITIES*
Class of Insurance Offered:
Prohibited Investments
Limitation Ownership of an Unincorporated Body
Lending Limit Limit on Real Property Interest
Limits on Equity Acquisitions
Aggregate Limit (Investments in Real Estate and Equities)
Restrictions on Permitted Related Party Transactions
Property & Casualty
Section 418 - No more than 5%
of total assets or $500,000 whichever is greater may be invested in any one or more connected persons.
Section 420
- No provincial entity
may beneficially own more than a 10% interest in an unincorporated body.
Section 426 - The aggregate value
of all loans must not exceed 5% of total assets.
Section 427 - The aggregate value
of all of the entity’s interests in real property must not exceed 10% of total assets.
Section 428 - A provincial entity
must not acquire participating shares of any body corporate or any ownership interests in any unincorporated body that would have an aggregate value to exceed 25% of total assets.
Section 429 - The aggregate value
of investments in real estate and equities must not exceed 30% of total assets.
Section 444 - The aggregate value of
permitted related party transactions must not exceed 10% of total assets.
Life Section 418 - No more than 5%
of total assets or $500,000 whichever is greater may be invested in any one or more connected persons.
Section 420
- No provincial entity
may beneficially own more than a 10% interest in an unincorporated body.
Section 425 - The aggregate value
of all loans must not exceed 5% of total assets if base capital is less than $15 million.
- Minister approval is required if base capital is greater than $15 million.
Section 427 - The aggregate value
of all of the entity’s interests in real property must not exceed 10% of total assets.
Section 428 - A provincial entity
must not acquire participating shares of any body corporate or any ownership interests in any unincorporated body that would have an aggregate value to exceed 25% of total assets.
Section 429 - The aggregate value
of investments in real estate and equities must not exceed 30% of total assets.
Section 444 - The aggregate value of
permitted related party transactions must not exceed 10% of total assets.
*Please note that this tool is not a replacement for the information contained in the Insurance Act and should only be used as a supplement to assist in interpreting the appropriate legislation and regulation; See Part 2 –
Subparts 11 & 12 of the Insurance Act for more information.
September 2013
B-1: Supplement: Alberta Statutory
Investment and Lending Limits for
Provincially Regulated Insurance Entities
Financial Sector Regulation and Policy Superintendent of Insurance Room 402, Terrace Building 9515 – 107 Street Edmonton, Alberta, Canada T5K 2C3 Telephone: 780-415-6496 Fax: 780-420-0752 www.finance.alberta.ca
December 9, 2014
To All Insurance Entities Supervised by the Alberta Superintendent of Insurance (“Superintendent”), including (collectively defined as “Provincially Regulated Insurance Entities”):
Provincially Incorporated Property & Casualty Insurance Companies;
Provincially Incorporated Life Insurance Companies;
Reciprocal Insurance Exchanges either formed under the Insurance Act or who have transferred to Alberta such that Alberta is their primary regulator; and
Applicable Exempt Entities. Effective December 2013, the Superintendent adopted the new Own Risk and Solvency Assessment (“ORSA”) Guideline and verbally communicated our provincial timelines to each of the Provincially Regulated Insurance Entities, as they differ from the timelines detailed in the Guideline.
To reiterate the Superintendent’s expectations, Provincially Regulated Insurance Entities must provide the Superintendent with an action plan by December 31, 2014, listing the expected date when their inaugural ORSA report will be available.
The Superintendent considers the size, risk, complexity and structure of the entity, as well as the time required for Board education and for developing / implementing the necessary processes when evaluating the suitability of the date presented. This is the rationale for the extended timeframe allowed by the Superintendent; however, the Superintendent does expect a final ORSA report no later than December 31, 2016.
Should you have any questions about the Superintendent’s expectations surrounding the ORSA timing requirements, please feel free to contact us directly by telephone at 780-415-6496 or by e-mail to [email protected].
Sincerely,
[ORIGINAL SIGNED]
Prudential Supervision
E-19: Supplement to ORSA Guideline
effective January 1, 2014
Financial Sector Regulation and Policy
Superintendent of Insurance Room 402, Terrace Building 9515 – 107 Street Edmonton, Alberta, Canada T5K 2C3 Telephone: 780-415-6496 Fax: 780-420-0752 www.finance.alberta.ca
July 19, 2016
To All Insurance Entities Supervised by the Alberta Superintendent of Insurance (“Superintendent”), including (collectively defined as “Provincially Regulated Insurance Entities”):
• Provincially Incorporated Property & Casualty Insurance Companies;
• Provincially Incorporated Life Insurance Companies;
• Reciprocal Insurance Exchanges either formed under the Insurance Act or who have transferred to Alberta such that Alberta is their primary regulator; and
• Applicable Exempt Entities. Effective July 2016, the Superintendent adopted the Cyber Security Self-Assessment Guideline and shared this tool to assist Provincially Regulated Insurance Entities in their assessment of cyber security risk.
The Superintendent may request a provincially regulated insurance entity to complete the template or provide a review of their security practices during future supervisory assessments; based on the size, risk, complexity and structure of the entity. This is not currently an immediate or regular reporting requirement.
Should you have any questions about the Superintendent’s expectations surrounding the Cyber Security Self-Assessment (see attached), please feel free to contact us directly by telephone at 780-415-6496 or by e-mail to [email protected].
Sincerely,
[ORIGINAL SIGNED]
Prudential Supervision
Cyber Security Guidance
(effective July 2016)
Banks/FBB/T&L/Coop/Life/P&C October 2013
Cyber Security Self-Assessment Page 1 of 11
Annex - Cyber Security Self-Assessment Guidance
This self-assessment template sets out desirable properties and characteristics of cyber security practices that could be considered by a
FRFI when assessing the adequacy of its cyber security framework and when planning enhancements to its framework. FRFIs are
encouraged to reflect the current state of cyber security practices in their assessments rather than their target state, and consider cyber
security practices on an enterprise-wide basis. If a FRFI employs relevant practices that are not described in the template, it is
encouraged to list them and their related assessments.
OSFI suggests that FRFIs rate their current degree of maturity on a 1 to 4 scale and provide sufficient justification in all
circumstances. A suggested definition of each of the ratings is provided below.
4 – Fully Implemented The FRFI has fully implemented the principles across its enterprise. There is evidence to
substantiate the assessment. There are no outstanding issues identified (e.g. issues raised through
self-assessment, or by groups such as operational risk management, Internal Audit, supervisors or
other third parties).
3 – Largely Implemented
The FRFI has largely, but not fully implemented the principles across its enterprise, or there may be
some minor outstanding issues identified (e.g. issues raised through self-assessment, or by groups
such as operational risk management, Internal Audit, supervisors or other third parties).
2 – Partially Implemented
The FRFI has partially implemented the principle, major aspects of the implementation remain, and
there may be some significant outstanding issues identified (e.g. issues raised through self-
assessment or by groups such as operational risk management, Internal Audit, supervisors or other
third parties).
1 – Not Implemented
The FRFI has not yet implemented this practice.
N/A
If the FRFI determines the rating 1 to 4 is not applicable, the FRFI is encouraged to provide
sufficient justification for this selection.
The self-assessment template can be found below:
Cyber Security Self- Assessment Guidance
Banks/FBB/T&L/Coop/Life/P&C October 2013
Cyber Security Self-Assessment Page 2 of 11
1. Organization and Resources
Item
Criteria
Rating Rating Rationale and Description
(Control Design and Effectiveness)
Action Plan and Target Date(s)
for Full Implementation
1.1 The FRFI has clearly established accountability and ownership of,
and financial resources for, the cyber security framework1.
1.2 The FRFI has assigned specific roles and responsibilities for the
management of cyber security, and these individuals have sufficient
delegated operational authorities.
1.3 The FRFI has a centrally managed group of cyber security specialists
that is responsible for threat intelligence, threat management and
incident response.
1.4 The FRFI provides 24/7 identification and response capabilities for
the management of cyber security.
1.5 The FRFI has sufficient number of skilled staff for the management
of cyber security.
1.6 The cyber security specialists are subject to enhanced background
and security checks.
1.7 The FRFI has a formalized plan to provide ongoing technical training
to cyber security specialists.
1.8 Cyber security training is provided to new and existing employees.
1.9 Cyber security awareness is provided to all employees.
1 Cyber Security Framework: A complete set of organizational resources including policies, staff, processes, practices and technologies used to assess and mitigate
cyber risks and attacks.
Banks/FBB/T&L/Coop/Life/P&C October 2013
Cyber Security Self-Assessment Page 3 of 11
2. Cyber Risk and Control Assessment
Item
Criteria
Rating Rating Rationale and Description
(Control Design and Effectiveness)
Action Plan and Target Date(s)
for Full Implementation
2.1 The FRFI has a process to conduct regular and comprehensive cyber
risk assessments that consider people (i.e. employees, customers
and other external parties), processes, data, technology across all its
business lines and geographies.
2.2 The FRFI assesses and takes steps to mitigate potential cyber risk
arising from its outsourcing arrangements deemed material under
OSFI’s Guideline B-10.
2.3 The FRFI assesses and takes steps to mitigate potential cyber risk
arising from its critical IT service providers.
2.4 The FRFI’s change management risk assessment and due diligence
processes consider cyber risk.
2.5 The FRFI conducts regular vulnerability hardware and software scans
and testing for client, server, and network infrastructure to identify
security control gaps.
2.6 The FRFI conducts regular penetration testing of the network
boundary (e.g. open network entry and exit points) to identify
security control gaps.
2.7 The FRFI conducts regular testing with its third party cyber
mitigating services.
2.8 The FRFI conducts regular cyber-attack (including Distributed denial-
of-service (DDoS)) and recovery simulation exercises.
2.9 The FRFI considers in its risk assessment the impact of an Internet
outage across Canada for an extended period of time.
Banks/FBB/T&L/Coop/Life/P&C October 2013
Cyber Security Self-Assessment Page 4 of 11
3. Situational Awareness
Item
Criteria
Rating Rating Rationale and Description
(Control Design and Effectiveness)
Action Plan and Target Date(s)
for Full Implementation
3.1 The FRFI maintains a current enterprise-wide knowledge base of its
users, devices, applications and their relationships, including but not
limited to
software and hardware asset inventory;
network maps (including boundaries, traffic and data flow);
and
network utilization and performance data.
3.2 The FRFI centrally stores a history of security event information.
3.3 The FRFI normalizes, aggregates, and correlates security event
information.
3.4 The FRFI conducts automated analysis of security events to identify
potential cyber-attacks including DDoS attacks.
3.5 The FRFI supplements automated analysis of security events by
conducting additional expert analysis on security events to identify
potential cyber-attacks.
3.6 The FRFI monitors and tracks cyber security incidents in the financial
services industry and more broadly as relevant, through participation
in industry programs (e.g. Canadian Cyber Incident Response
Centre).
3.7 The FRFI subscribes to industry research on cyber security.
Banks/FBB/T&L/Coop/Life/P&C October 2013
Cyber Security Self-Assessment Page 5 of 11
4. Threat and Vulnerability Risk Management
Item Criteria
Rating* Rating Rationale and Description
(Control Design and Effectiveness)
Action Plan and Target Date(s)
for Full Implementation
Data Loss Detection / Prevention
4.1 The FRFI has implemented tools to
prevent unauthorized data leaving the enterprise;
monitor outgoing high risk traffic to detect unauthorized
data leaving the FRFI (e.g. by geography, size, volume,
information type);
safeguard data in online and offline stores (e.g. desktop,
laptops, mobile devices, removable devices, and removable
media); and
safeguard data at rest and in motion.
4.2 The FRFI has implemented the above controls on an enterprise-wide
basis.
Cyber Incident Detection & Mitigation
4.3 The FRFI has implemented the following security tools and provides
for their currency, automated updates, and enterprise-wide
application:
intrusion detection / protection systems;
web application firewalls;
anti-virus;
anti-spyware;
anti-spam;
DDoS protection; and
other (please describe).
4.4 The FRFI has implemented the above security tools using enhanced
detection techniques (e.g. reputation-based and/or behaviour-
based).
Software Security
4.5 The FRFI has a process to obtain, test and automatically deploy
security patches and updates in a timely manner based on criticality.
4.6 The FRFI considers and mitigates cyber risk arising from use of any
unsupported software.
Banks/FBB/T&L/Coop/Life/P&C October 2013
Cyber Security Self-Assessment Page 6 of 11
Item Criteria
Rating* Rating Rationale and Description
(Control Design and Effectiveness)
Action Plan and Target Date(s)
for Full Implementation
4.7 The FRFI has a process to confirm successful deployment of security
patches and resolve update failures.
4.8 The FRFI’s internally or externally developed software is subject to
secure system design, coding and testing standards that incorporate
appropriate cyber security controls.
4.9 The FRFI implements the above controls on an enterprise-wide basis.
Network Infrastructure
4.10 The FRFI has implemented network boundary monitoring and
protection.
4.11 The FRFI segments the enterprise network into multiple, separate
trust zones.
4.12 The FRFI’s network infrastructure has multiple layers of defence (e.g.
cloud based, ISP, on premise) to mitigate against DDoS attacks.
4.13 The FRFI is able to rapidly and remotely isolate, contain or shut
down compromised operations.
4.14 The FRFI has implemented processes and tools to secure mobile
devices and wireless networks.
4.15 The FRFI implements the above controls on an enterprise-wide basis.
Standard Security Configuration and Management
4.16 The FRFI uses standard secure Operating System images for client,
server and network devices.
4.17 The FRFI follows a formal change management process for security
configuration management for all network hardware and software
assets on its networks.
4.18 The FRFI documents, implements and enforces security
configuration standards to all hardware and software assets on the
network.
4.19 The FRFI restricts the use of unauthorised/unregistered software and
hardware through policy and automated tools, including mobile
devices.
Banks/FBB/T&L/Coop/Life/P&C October 2013
Cyber Security Self-Assessment Page 7 of 11
Item Criteria
Rating* Rating Rationale and Description
(Control Design and Effectiveness)
Action Plan and Target Date(s)
for Full Implementation
4.20 The FRFI implements the above controls on an enterprise-wide basis.
Network Access Control & Management
4.21 The FRFI has the ability to automatically detect and block
unauthorised network access (e.g. including wired, wireless and
remote access).
4.22 The FRFI applies strong authentication mechanisms to manage user
identities and access.
4.23 The FRFI tightly controls and manages the use of administrative
privileges.
4.24 The FRFI implements the above controls on an enterprise-wide basis.
Third Party Management
4.25 The FRFI considers cyber security risk as part of its due diligence
process for material outsourcing arrangements and critical IT service
providers, including related subcontracting arrangements.
4.26 Contracts for all material outsourcing arrangements and critical IT
service providers include the provision for safeguarding the FRFI’s
information.
4.27 The FRFI has a process in place to monitor the level of cyber risk
preparedness for material outsourcing arrangements and critical IT
service providers.
4.28 The FRFI has processes in place to ensure the timely notification of a
cyber incident from service providers with whom the FRFI has one or
more material outsourcing arrangements, or critical IT service
providers.
Customers and Clients
4.29 Cyber security awareness and information is provided to customers
and clients.
4.30 The FRFI has taken additional actions to protect its customers and
clients.
Banks/FBB/T&L/Coop/Life/P&C October 2013
Cyber Security Self-Assessment Page 8 of 11
5. Cyber Security Incident Management
Item
Criteria
Rating Rating Rationale and Description
(Control Design and Effectiveness)
Action Plan and Target Date(s)
for Full Implementation
5.1 The FRFI’s Incident Management Framework is designed to respond
rapidly to material cyber security incidents.
5.2 An appropriate 'command and control' structure with the requisite
delegated expenditure authority has been established within the
Incident Management Framework to support rapid response to all
levels of cyber security incidents.
5.3 The FRFI has documented procedures for monitoring, analyzing and
responding to cyber security incidents.
5.4 The FRFI change management process has been designed to allow
for rapid response and mitigation to material cyber security
incidents.
5.5 The FRFI’s Incident Management Framework includes escalation
criteria aligned with its cyber security taxonomy.
5.6 The FRFI has an internal communication plan to address cyber
security incidents that includes communication protocols for key
internal stakeholders (e.g. relevant business units / call centres,
senior management, risk management, Board of Directors, etc.).
5.7 The FRFI has an external communication plan to address cyber
security incidents that includes communication protocols and draft
pre-scripted communications for key external stakeholders (i.e.
customers, media, critical service providers, etc.).
5.8 The FRFI’s incident management process is designed to ensure that
the following tasks are fully completed before an incident can be
formally closed:
Recovery from disruption of services from the cyber
security incident;
Assurance of systems’ integrity following the cyber security
incident; and
Recovery of lost or corrupted data due to the cyber security
incident.
Banks/FBB/T&L/Coop/Life/P&C October 2013
Cyber Security Self-Assessment Page 9 of 11
Item
Criteria
Rating Rating Rationale and Description
(Control Design and Effectiveness)
Action Plan and Target Date(s)
for Full Implementation
5.9 The FRFI has an established post incident review process that
is completed for material cyber security incidents;
includes appropriate cyber forensic investigations;
chronicles the events leading up to, during and following
the cyber security incident;
identifies the root cause and highlights control deficiencies;
assesses any breakdowns in the incident management
process; and
establishes a plan of action to address identified
deficiencies.
6. Cyber Security Governance
Item Criteria
Rating Rating Rationale and Description
(Control Design and Effectiveness)
Action Plan and Target Date(s)
for Full Implementation
Cyber Security Policy & Strategy
6.1 The FRFI has established an enterprise-wide cyber security policy2,
with supporting procedures in place that set forth how the FRFI will
identify and manage its cyber security risks.
6.2 The roles and responsibilities of each of the three lines of defence
and other stakeholders are clearly described within the cyber
security policy.
6.3 The cyber security policy applies to all of the bank’s operating
groups and entities, including subsidiaries, joint ventures and
geographic regions.
6.4 The FRFI has a defined and consistent common taxonomy for cyber
security risk.
2 Cyber Security Policy: A set of documented and authorized principles that set out how the Cyber Security Program is to be governed and executed.
Banks/FBB/T&L/Coop/Life/P&C October 2013
Cyber Security Self-Assessment Page 10 of 11
Item Criteria
Rating Rating Rationale and Description
(Control Design and Effectiveness)
Action Plan and Target Date(s)
for Full Implementation
6.5 The FRFI’s cyber security policy is linked to other relevant Risk
Management policies including Information Security, Business
Continuity Management, Outsourcing, New Initiatives and Change
Management, etc.
6.6 The FRFI has established a cyber security strategy that is aligned
with the FRFI’s business strategy.
6.7 The FRFI has a strategic and tactical cyber security implementation
plan that outlines key initiatives and timelines.
Second Line of Defence (e.g. Risk Management)
6.8 Relevant risk and control assessments (RCAs) address cyber security
risk and mitigating controls.
6.9 Key risk and performance indicators as well as thresholds have been
established for the FRFI’s key inherent cyber security risks and
controls.
6.10 The FRFI has utilized scenario analysis to consider a material cyber-
attack, mitigating actions, and identify potential control gaps.
6.11 The second line of defence appropriately assesses cyber security risk
within the FRFI’s change management process.
6.12 The second line of defence responsibilities relating to cyber security
assessments have been assigned to an independent control group
with cyber risk expertise.
6.13 The second line of defence regularly provides an independent
challenge to the various cyber security risk assessments conducted
by the first line of defence (e.g. risk assessments within RCSAs,
scenario analysis, change management processes, KRIs, threat risk
assessments, etc.).
6.14 The second line of defence monitors and challenges the
identification, appropriateness and remediation of actions, resulting
from cyber security incidents and risk assessments.
6.15 The FRFI’s operational risk appetite and tolerance considers cyber
security risk.
Banks/FBB/T&L/Coop/Life/P&C October 2013
Cyber Security Self-Assessment Page 11 of 11
Item Criteria
Rating Rating Rationale and Description
(Control Design and Effectiveness)
Action Plan and Target Date(s)
for Full Implementation
6.16 The FRFI has considered cyber risk insurance coverage that provides
financial mitigation to cyber risk incidents and impacts.
Internal Audit – Third Line of Defence
6.17 Internal Audit coverage includes, but is not limited to, all aspects of
cyber security within this questionnaire.
6.18 The frequency of cyber security audits is determined by and is
consistent with the risk of a cyber-attack.
6.19 Internal Audit has assessed or is planning to assess both the design
and effectiveness of the cyber security framework.
6.20 Internal Audit has sufficient resources and expertise to audit the
cyber security framework implementation.
Senior Management & Board Oversight
6.21 A Senior Management committee has been established that is
dedicated to the issue of cyber risk, or an alternative Senior
Management committee has adequate time devoted to the
discussion of the implementation of the cyber security framework.
6.22 Senior Management provides adequate funding and sufficient
resources to support the implementation of the FRFI’s cyber security
framework.
6.23 Processes are in place to escalate breaches of limits and thresholds
to Senior Management for significant or critical cyber security
incidents.
6.24 The Board, or a committee of the Board, is engaged on a regular
basis to review and discuss the implementation of the FRFI’s cyber
security framework and implementation plan, including the
adequacy of existing mitigating controls.
External Benchmarking
6.25 The FRFI has conducted an external benchmarking review of its
cyber security framework.