Updated

In one paragraph

OSFI Guideline B-13 (Technology and Cyber Risk Management) took effect January 1, 2024 and applies to all federally regulated financial institutions (FRFIs) in Canada — banks, insurers, trust companies, loan companies, and federally regulated pension plans. B-13 does not prescribe specific controls; it requires FRFIs to manage technology and cyber risk through a sound risk-management framework, with named accountability, an annual risk assessment, and documented evidence of operational resilience. This matrix maps the 14 most material B-13 control areas to CIS Controls v8.1 and to the NIST Cybersecurity Framework so FRFIs — and the MSPs serving them — can demonstrate alignment during a B-13 review or a vendor risk assessment.

📚 New here? Start with OSFI Guideline B-13: The Complete Guide for the plain-language overview, then use this matrix to audit your controls.

Who B-13 applies to

OSFI Guideline B-13 applies to all federally regulated financial institutions (FRFIs) regulated by the Office of the Superintendent of Financial Institutions:

  • Banks (Schedule I, II, and III)
  • Federally regulated trust and loan companies
  • Federally regulated insurance companies (life, P&C, mortgage)
  • Federally regulated pension plans
  • Cooperative credit associations

The guideline does not apply directly to provincially regulated credit unions, provincial trust companies, or provincially regulated insurers. However, B-13 frequently flows into vendor and partner contracts. MSPs, SaaS providers, and consulting firms serving FRFI clients are routinely asked to demonstrate B-13 alignment as part of third-party risk management (TPRM).

The five B-13 pillars

B-13’s substantive content distills into five pillars:

  1. Governance and risk management — board-approved framework, risk appetite, named accountability.
  2. Technology operations and resilience — asset inventory, change management, incident management, business continuity.
  3. Cybersecurity — identify, protect, detect, respond, recover (aligned to NIST CSF).
  4. Third-party risk — due diligence, contractual obligations, ongoing monitoring of vendors with material access.
  5. Resilience testing — scenario analysis, tabletop exercises, threat-led penetration testing for material services.

The OSFI B-13 Controls Matrix

The 14 control areas below cover the substantive expectations across all five B-13 pillars. Each row maps the control to the relevant B-13 section, the corresponding CIS Controls v8.1 safeguard, the NIST CSF function, and the implementation pattern we deploy across our FRFI-adjacent SMB clients.

# Control area B-13 anchor CIS v8.1 NIST CSF Typical implementation
1 Tech risk governance 1.1, 1.2 14.1 ID.GV Board-approved tech risk framework; risk appetite statement
2 CISO accountability 1.3 14.9 ID.GV-2 Named CISO with board reporting; CISSP / equivalent credential
3 IT asset inventory 2.1 1.1, 1.2, 2.1 ID.AM Authoritative CMDB; quarterly reconciliation; criticality tagging
4 Change management 2.4 4.7, 4.11 PR.IP-3 CAB approval for material changes; emergency-change escalation
5 Vulnerability management 3.2 7.1-7.7 PR.IP-12 Monthly authenticated scans; 14d critical-CVE patch SLA
6 Logging & monitoring 3.3 8.1, 8.5, 8.11 DE.AE, DE.CM 24/7 SOC, SIEM with 1y log retention, anomaly alerts
7 Identity & access (PAM) 3.4 5.1-5.6, 6.1-6.8 PR.AC MFA universal; PAM for admin; quarterly access review
8 Encryption at rest/transit 3.4 3.6, 3.10, 3.11 PR.DS AES-256 at rest, TLS 1.2+ in transit, BYOK or HSM
9 Backup immutability 2.6, 4.2 11.1, 11.4, 11.5 PR.IP-4, RC.RP 3-2-1 immutable; documented RPO/RTO; quarterly restore tests
10 Incident management 3.6 17.1-17.9 RS.RP, RS.CO IRP aligned to NIST SP 800-61, OSFI notification SOP
11 Business continuity 2.6, 4.1 11.4 RC.RP, RC.IM BCP per critical service; BIA refreshed annually
12 Third-party risk (TPRM) 5.1-5.3 15.1-15.7 ID.SC Tiered vendor due diligence; SOC 2 / ISO 27001 attestation
13 Security awareness training 3.5 14.1-14.3 PR.AT Quarterly phishing simulation; annual role-based training
14 Resilience testing 4.3, 4.4 18.1-18.5 PR.IP-10, DE.DP-3 Annual tabletop; biennial TLPT for material services

The most-missed B-13 controls

Across the Canadian financial-services SMB engagements we’ve supported, these six B-13 controls are most often weakly evidenced:

  1. Risk appetite statement that isn’t operational. Boards approve appetite at a generic level; few institutions can demonstrate how an appetite breach is detected and escalated.
  2. Asset inventory missing SaaS. CMDB tracks servers and laptops but not the 60-150 SaaS apps in active use.
  3. SOC monitors infrastructure but not application logs. A SIEM that ingests firewall logs but not the core banking app or Salesforce misses the highest-value evidence.
  4. PAM deployed but break-glass procedures undocumented. Privileged Access Management exists; the documented break-glass and quarterly review do not.
  5. Third-party risk reviews are point-in-time. SOC 2 collected at onboarding; no ongoing monitoring, no annual reattestation.
  6. Tabletop exercises check the box without testing material services. Generic phishing tabletop instead of ransomware-on-core-banking scenario with timed escalation.

B-13 for MSPs and SaaS providers serving FRFIs

If you are an MSP or SaaS provider with FRFI clients, your B-13 alignment matters for two reasons. First, your FRFI customers will ask you to attest to specific B-13 controls under their TPRM. Second, your contract terms — especially around notification timelines, audit rights, and exit obligations — must satisfy B-13 third-party requirements (s.5.1-5.3). The practical implications:

  • Maintain SOC 2 Type II or ISO 27001 certification. Many FRFIs treat one of these as a baseline gate.
  • Be prepared to notify FRFI clients within 24 hours of a security incident that affects their environment.
  • Provide annual evidence of controls — pen test summary, vulnerability management metrics, change management evidence.
  • Support contractual audit rights. Even if rarely exercised, the right itself is a B-13 expectation.
  • Have a documented exit / portability plan. Be able to return or destroy FRFI data within agreed timelines.

How B-13 maps to NIST and CIS

B-13 does not prescribe a specific framework. The most common mappings in Canadian practice are:

  • NIST Cybersecurity Framework — the five-function (Identify, Protect, Detect, Respond, Recover) structure aligns cleanly with B-13’s substantive expectations.
  • CIS Controls v8.1 — the 18 controls give specific, testable safeguards. IG1 is the minimum baseline; IG2/IG3 fit most FRFIs.
  • ISO 27001 — formal certification is common at the bank tier; less universal for credit unions and smaller FRFIs.
  • NIST SP 800-53 — sometimes used as the authoritative control catalog for federally regulated insurers.

About this matrix

This matrix is maintained by Mike Pearlstein, CISSP, Founder and CEO of Fusion Computing Limited. Mike has supported Canadian financial-services SMBs and FRFI vendors on B-13 alignment since the guideline was first announced. Fusion Computing is a Microsoft Solutions Partner (Security, Modern Work, Infrastructure) and a CompTIA Managed Services Trustmark holder. We deploy this matrix as part of FRFI-vendor onboarding and re-audit annually.

If you’d like a PDF version of this matrix or want to discuss your B-13 alignment, book a 30-minute consult.