Cloud Compliance Center

Canada

Select a Topic
Quick Links
Start Comparison
Rules for cloud outsourcing
2. Are there any rules that apply to cloud use by financial institutions (e.g., rules regarding outsourcing or the use of cloud services)?

B-10 Outsourcing of Business Activities, Functions and Processes ("OSFI B-10 Guidelines")

This sets out the expectations of the Office of the Superintendent of Financial Institutions ("OSFI") for federally regulated entities, such as banks, that outsource to a service provider. Federally regulated entities retain ultimate accountability for all outsourced activities. The OSFI's supervisory powers are not constrained, irrespective of whether an activity is conducted in-house, outsourced or otherwise obtained from a third party.

The OSFI's expectations may vary depending on the nature of the outsourcing arrangement, but institutions are expected to do the following:

  • Evaluate the risks associated with all existing and proposed outsourcing arrangements.
  • Develop a process for determining the materiality of arrangements.
  • Implement a program for managing and monitoring risks, commensurate with the materiality of the arrangements.
  • Ensure that senior management receives information sufficient to enable it to discharge its duties under the guidelines.

In April 2022, the OSFI released a draft update to the OSFI B-10 Guidelines, which the OSFI plans to finalize and issue in 2023-2024. The draft update includes several key changes in relation to the use of cloud service providers. These proposed changes include expanding the definition of risk, scrapping materiality, increased contractual requirements and technology and cyber risk provisions.

An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts ("Bill 26").

On 14 June 2022, the federal government introduced to enact the Critical Cyber Systems Protection Act, which would impose obligations on operators of a "critical cyber system." All operators of a critical cyber system would have 90 days to establish a cybersecurity program that meets the following requirements:

  • Identify and manage any organizational cybersecurity risks.
  • Protect its critical cyber systems from being compromised.
  • Detect any cybersecurity incidents affecting critical cyber systems.
  • Minimize the impact of cybersecurity incidents affecting critical cyber systems.
  • Do anything that is prescribed by the regulations.
Quick Links
{{ $store.state.loadingScreen.message }} ...