The cyber threat landscape is constantly evolving. To advise federally regulated financial institutions on how to manage cybersecurity, OSFI released Guideline B-10 in May 2023. The new provision sets clear expectations on how to manage cybersecurity and ensure their programs comply with current best practices.


What Are the New Guideline Recommendations?

 In May 2023, the Office of the Superintendent of Financial Institutions (OSFI) released its updated B-10 guidelines, reinforcing the requirements for third-party risk management in the financial sector. There are several key aspects that the organization needs to consider aligning with the new requirements. These include:


Enhanced Due Diligence

Federally regulated financial institutions must strengthen their due diligence processes when selecting and assessing third-party service providers. This includes evaluating provider’s financial health, security controls, and business continuity plans.

  How RiskRecon by Mastercard can help:

RiskRecon enables users to effectively evaluate the security controls of all potential vendors, facilitates a thorough scan upon selection then continues to monitor vendors in alignment to risk programs of each OSFI organization. Additionally, using RiskRecon in conjunction with a comprehensive questionnaire helps to better identify business continuity plans and the assets that support them. For example, if an organization claims they have a geographically diverse redundant system, with disparate hosts and providers, this would be easily verified in RiskRecon using our IT Profile resources.


Ongoing Monitoring

Regular monitoring and reassessment of third-party providers are critical to ensure continued compliance and risk mitigation. It is suggested to implement robust monitoring mechanisms and establish clear escalation procedures to promptly address and identify risk.

How RiskRecon by Mastercard can help:

RiskRecon is unique in the fact that it not only categorizes vendors, but it also highlights the priority of assessment requirements based on relationship criticality - unique to each vendor. This categorization and prioritization ensures vendors are relevantly assessed. Plus, there are alert systems and mechanisms to interact with vendors to ensure compliance further reducing the likelihood of an event. RiskRecon also alerts vendors who have fallen out of compliance enabling the immediate escalation of an indent response plan.


Risk Assessment

There is emphasis on comprehensive risk assessment process that considers both the criticality of the services provided by the third parties and the potential impact on the institution's operations.

How RiskRecon by Mastercard can help:

RiskRecon’s intuitive interface enables analysts to quickly understand the overall state of the third-party portfolio and understand low performers in context to the criticality of the service or risk relationship to the vendor. This improves the effectiveness of the risk assessment, increases the capacity to manage more vendors, and improves the ability to understand the cyber risk of each vendor in a meaningful way.


RiskRecon determines value at risk for each system by discovering authentication, transaction capabilities, and data types collected such as form fields collecting email addresses, credit card numbers, and names.


Governance and Oversight

Federally regulated financial institutions must establish effective government frameworks that ensure oversight of third parties’ relationships. This includes assigning clear roles and responsibilities within the organization.

How RiskRecon by Mastercard can help:

RiskRecon has built in labeling systems to help third-party risk management (TPRM) analysts manage the vendor relationship. And in conjunction with a comprehensive Risk Management Plan, RiskRecon can improved risk incident reporting times.


Business Continuity and Incident Response

Federally regulated financial institutions must collaborate with their third-party providers to develop robust business continuity and incident response plans. These plans should address potential disruptions and security incidents to minimize the impact on institutions and their customers.

How RiskRecon by Mastercard can help:

While RiskRecon doesn’t play a role in the building or construction of the Incident/BC plans, RiskRecon can help ensure that the technical architecture meets the agreed upon security standards. Plus, it can monitor the posture of those assets to improve the likelihood of successful DR and RTO/RPO objectives.


Risk Appetite Framework

Federally regulated financial institutions must establish a risk appetite framework that aligns with their business objectives and risk tolerance. This framework helps in assessing and managing third party risks effectively.

How RiskRecon by Mastercard can help:

Although RiskRecon does not aid in the actual establishment of a risk appetite framework, it can map vendors to an established risk relationship structure outlined in a risk registry. This helps in understanding the schedule and necessity of an assessment and can help escalate the depth and breadth of the overall assessment.


Documentation and Reporting

Federally regulated financial institutions must maintain comprehensive documentation of their third-party relationships, including contracts, due diligence reports, and audit findings. Robust reporting mechanisms should be implemented to keep senior management and OSFI informed about the institution’s third-party risk management.

How RiskRecon by Mastercard can help:

RiskRecon provides robust reporting that details and identifies current state, recent changes and potential risks that may affect the risk posture or a OSFI regulated institution. Additionally, the new Self-Serve Reporting module now allows organizations to build comprehensive reports to not only provide insights and information on the state of the third-party domain, but also on individual third-party companies as well.


Want to learn and see more?

To see the full OSFI compliance power of RiskRecon …sign up for our 30-day trial here.