Building resilience through better insights: How financial institutions can use OSFI’s I-CRT framework to strengthen their cyber defences

Joanna Lewis Partner, Cybersecurity, Privacy and Financial Crime, PwC Canada 12 December, 2023

Canadian financial institutions are operating under an incredible amount of strain, with new and evolving risks increasingly threatening their operations, profitability, stakeholder trust and long-term sustainability. Among the risks organizations are constantly working to juggle, cyber risks—including hacking, ransomware and digital surveillance—are right near the top.

The threat can’t be overstated. In addition to reputational and operational risks, the regulatory risks and financial costs associated with cyberattacks are also growing quickly. In our 2024 Global Digital Trust Insights (DTI) survey, we found the average cost of a cybersecurity breach in the financial services sector is $5 million—although individual breaches can cost substantially more. Given this, many financial institutions recognize they need to become much better at managing and mitigating cyberattacks. According to our DTI report, 43% of companies see the mitigation of cyber risks as a key priority over the next 12 months.

Given the critical importance of financial institutions, regulators in Canada have also prioritized understanding sector vulnerabilities and ensuring financial institutions are resilient against cyberattacks and cyber disruptions. In April 2023, the Office of the Superintendent of Financial Institutions (OSFI) released a framework and guidelines related to the Intelligence-led Cyber Resilience Testing (I-CRT) of federally regulated financial institutions.

Currently, only systemically important banks and internationally active insurance groups are required to undertake I-CRT assessments,¹ but the benefits of such testing could be significant for any financial institution. Given how quickly the cyber threat environment is evolving, most financial institutions could benefit from pressure testing their cyber risk exposure.

In this article, we provide an overview of I-CRT and what it means for financial institutions in Canada. We also highlight actions your financial institution can undertake so you’re ready and able to get the most out of I-CRT testing in the years ahead.

OSFI’s I-CRT framework: What financial institutions need to know

OSFI’s I-CRT framework and guidelines incorporate the use of intelligence-led penetration testing as part of the cyber resilience testing of federally regulated financial institutions. It differs from more traditional penetration testing approaches by emphasizing threat intelligence as part of the testing methodology. The approach is also much broader than traditional testing, incorporating a focus on identifying and testing threats and vulnerabilities associated with the disruption of a financial institution’s critical business functions.

OSFI’s I-CRT approach isn’t unique. It’s been used by regulators in a number of jurisdictions, including the European Union and Australia.²A pivotal aspect of OSFI’s I-CRT approach is the use of red-teaming—whereby an external provider (i.e. the red team) is tasked with attacking the financial institution as if they were a cyber threat actor—including breaking into a company’s network, avoiding detection and executing invasive actions, such as simulated data corruption, disruption and exfiltration. The financial institution’s response team (i.e. the blue team) is tasked with responding to the attack in the same way it would to a real cyberattack.

Taking your cyber resilience testing to the next level

While some financial institutions already use red-teaming as part of their cyber resilience testing, many others use more structured testing approaches, including pre-planned cyber-resilience testing and purple-teaming—whereby red and blue teams work collaboratively to test and enhance a company’s cyber resilience. Such approaches can be incredibly beneficial, particularly for helping organizations quickly enhance and mature the skills and abilities of their blue team. However, intelligence-led testing takes resilience testing to the next level by incorporating threat intelligence-based realistic threat scenarios and attacks.

Getting the most from OSFI’s I-CRT framework: Four actions to consider

I-CRT testing can be an incredibly daunting task. Whether you are—or will be—required to conduct regular I-CRT assessments by OSFI or want to use I-CRT to improve your cybersecurity approach and defences, you can use the following four activities to start your organization off on the right foot.

1. Evaluate the OSFI I-CRT framework and how it applies to your organization

As a first step, review OSFI’s I-CRT framework to understand any requirements that pertain to your organization. This is particularly important for systemically important banks and internationally active insurance groups, as OSFI expects these institutions to conduct an I-CRT assessment at least once during each three-year supervisory cycle.

If you’re not specifically required to adhere to OSFI’s framework at present, consider how your organization could use the OSFI framework as an opportunity to develop a more robust and proactive approach to testing your cyber resilience.

Are you required to undertake I-CRT assessments by OSFI—and when will you need to start?
What aspects of the OSFI framework and guidelines can you leverage to improve your cyber resilience?
How can you collaborate with stakeholders to get the most from the I-CRT framework (e.g. OSFI, existing third-party cybersecurity advisers)?

2. Assess your current cybersecurity processes and readiness against the I-CRT and identify gaps

Assess your current cybersecurity processes, critical business functions, technologies, teaming approaches (i.e. red, blue, purple) and resilience testing against OSFI’s I-CRT framework and guidelines. Identify any strengths, weaknesses, opportunities and gaps that need to be addressed so you can use the framework and red-teaming approach effectively.

As part of this process, it may be useful to consider how to bridge the gap between where you are today and where you need to be in the future. For example, rather than go straight to a red-teaming approach, you may find it more beneficial to use purple-teaming as a mechanism to build and enhance your internal capabilities with the help of a third-party provider. This might include starting with more limited simulations and then graduating to more complex emulations that mimic threat actor tactics, techniques and procedures (TTPs) more closely.

How does your current resilience testing approach align with the OSFI framework and guidelines?
What gaps do you need to address to use the framework more effectively?
How can you prepare to leverage OSFI’s red-teaming approach—for example, by assessing and mitigating the risks associated with the exercise to make sure it’s conducted in a controlled manner?
How can you leverage the experience of third parties to help enhance the skills of your blue team in advance of red-teaming based testing?

3. Select your threat intelligence and red-teaming providers

The OSFI guidelines require financial institutions to use external threat intelligence and red-teaming providers. Assess your current third-party relationships and potential providers based on the unique needs of your organization, and select partners that align with your requirements.

When selecting a third-party threat intelligence provider, consider the following factors:

Breadth of intelligence and geographical reach to understand global threat signals. The intent behind possible attacks varies (e.g. espionage, hacktivism, sabotage, crime), and a provider’s understanding will help drive their testing strategy
Use of a variety of techniques, such as clustering, to identify early warning signs
Access to closed (non-public) sources of intelligence, partnerships and open-source intelligence
Understanding of risks specific to your organization’s characteristics (e.g. geographic spread, customer base, products and services, technology infrastructure) to contextualize intelligence
Ability to identify, monitor and quickly react to intelligence from a range of sources (e.g. Dark Web and OSINT, 24x7 Threat Intelligence Platforms, reporting on emerging critical and high vulnerabilities, social media monitoring, credential leakage monitoring, malicious domain infrastructure monitoring, key vendor breach alerts and emerging threat research)

When selecting a third-party red-teaming provider, consider the following factors:

Breadth of experience working with organizations like yours (e.g. global, regional, local)
Ability to turn threat intelligence into relevant customized attack approaches
Ability to leverage different teaming approaches (e.g. purple-teaming) to make sure your organization is prepared for red-teaming
Experience conducting red-team testing on organizations, including providing post-test assessment, insights and actionable recommendations
Use of adaptive tools and accelerators, and alignment to frameworks such as MITRE Attack

4. Conduct testing on a regular basis to enable your organization’s responses to consider evolving threats

Recognize that I-CRT is not a one-and-done activity. The cyber threat environment is changing incredibly quickly—and your financial institution needs to be able to respond and adapt accordingly. Consider how you will incorporate testing and testing results on an ongoing basis to continuously improve your cybersecurity posture and defence processes.

How will you enable your resilience testing approach to remain relevant even as cyber threat and attack approaches change?
How will you test and enhance the capabilities of your incident team so they’re well positioned to respond to future threats?

Be proactive. Be ready

Too often, organizations don’t consider proactively and aggressively pressure testing their cyber defences until after they’ve been the victim of a cyberattack and experienced the speed, complexity and sophistication of malicious threat actors and the extent of damage cyberattackers can cause very quickly.

Whether or not your financial organization is required to conduct an I-CRT assessment with OSFI, you should consider how you can leverage the I-CRT framework, threat intelligence and red-teaming to take a more proactive stance against cyberattacks. By embracing a more realistic approach to threat intelligence and cyber resilience testing—and using the results of any tests to focus your cybersecurity strategies and investments—you can enable your organization to be as prepared as possible to respond when real attacks happen.

Find out more

If you’d like to learn more about OSFI’s I-CRT framework and how your organization can prepare for future I-CRT testing or would like to discuss how your financial institution can use the framework to take your cyber resilience testing to the next level, contact us.