Updated May 28, 2026

What is OSFI Guideline B-13?

Guideline B-13, Technology and Cyber Risk Management, sets the expectations of the Office of the Superintendent of Financial Institutions (OSFI) for how federally regulated financial institutions manage technology and cyber risk. It came into effect on January 1, 2024. B-13 is principles-based: it does not list specific tools, but it expects an FRFI to demonstrate sound governance, resilient operations, and effective cyber defence proportionate to its size and risk.

Who B-13 applies to — and why it reaches further

B-13 directly applies to federally regulated financial institutions (FRFIs): banks, federally regulated trust and loan companies, and insurers. But its reach is wider in practice. B-13’s third-party and outsourcing expectations (reinforced by Guideline B-10) mean that the vendors, fintechs, and managed service providers serving an FRFI must be able to evidence the same controls. If you supply technology to a bank or insurer, B-13 is effectively your problem too.

The three domains of B-13

B-13 organizes its expectations into three domains:

• Governance and Risk Management — accountability, a technology and cyber risk framework, and a current technology strategy.
• Technology Operations and Resilience — asset management, change and incident management, disaster recovery, and the ability to operate through disruption.
• Cyber Security — identify, defend, detect, respond, and recover capabilities aligned to recognized frameworks.

How B-13 relates to other frameworks

B-13 deliberately aligns with established frameworks. Most FRFIs and their vendors evidence B-13 using NIST Cybersecurity Framework functions and CIS Controls v8.1 safeguards — which is exactly how our readiness matrix is structured. B-13 also connects to OSFI’s Technology and Cyber Security Incident Reporting advisory, which requires FRFIs to report material incidents to OSFI promptly.

What “non-compliance” looks like

B-13 is a supervisory guideline, not a fining statute. OSFI does not levy fixed penalties for B-13 gaps; instead it escalates supervisory attention — increased scrutiny, findings that must be remediated, higher staging, and in serious cases constraints on the institution. For a vendor, the consequence is sharper: failing a B-13-driven due-diligence review can cost you the contract.

How to demonstrate B-13 readiness: a roadmap

1. Establish governance. Document who owns technology and cyber risk and the framework you follow.
2. Inventory and classify assets. You cannot protect or recover what you have not mapped.
3. Prove resilience. Maintain tested disaster-recovery and incident-response capabilities with evidence.
4. Run the readiness matrix. Map your controls to NIST CSF and CIS v8.1 and capture the evidence each row expects.
5. Prepare your reporting path. Know how and when a material incident would be reported to OSFI.

B-13 and the rest of the financial-sector stack

FRFIs and their advisors rarely face B-13 alone. Investment dealers and advisors layer CIRO cybersecurity expectations; everyone handling personal information still answers to PIPEDA; and cyber insurers test much of the same ground. Our financial services IT practice and vCISO services are built around this stacked reality.

About this guide

This guide is maintained by Mike Pearlstein, CISSP, Founder and CEO of Fusion Computing Limited, a Canadian managed IT and cybersecurity provider and Microsoft Solutions Partner. It is reviewed as legislation and program requirements change. Definitions are written for business leaders, not lawyers — for a legal opinion on your specific obligations, consult qualified counsel.

Related: Financial services IT  |  vCISO services  |  OSFI B-13 in the glossary