OSFI Guideline B-13 — Technology and Cyber Risk Management

B-13 Domain 4 — Technology Operations and Resilience

B-13 Domain 4 covers Technology Operations and Resilience. Asset Management (Section 4.4) requires FRFIs to identify, classify, and manage technology assets through their lifecycle, including disposition. Disposition Section 4.5 requires sanitisation and disposal aligned to the asset classification. Operationally, this maps to: per-asset inventory at retirement, sanitisation method matched to the data classification, per-asset Certificate of Destruction, retention 7+ years.

Big Five bank engagement profile

Canada's Big Five — RBC, TD, Scotiabank, BMO, CIBC — all operate to B-13. Refresh cycles produce predictable retiring volumes: branch-network laptop fleets at 3-year cycles, back-office server estates at 5-year cycles, ATM IT on rolling refresh, capital-markets trading-floor IT on faster cycles. Engagement profile: programme-level master service agreements, NDA-bound, witness destruction for top-classified.

Smaller FRFI engagement profile

Beyond the Big Five, B-13 covers approximately 350 FRFIs (smaller chartered banks, federally regulated credit unions, trust and loan companies, federally regulated insurance companies). Engagement model is similar to Big Five but at smaller scale; programme contracts available at 100-asset minimum.

OSFI Cyber Security Self-Assessment

Beyond B-13, OSFI conducts the Cyber Security Self-Assessment (CSSA) annually. ITAD documentation is in scope. Maxicom certificate retention vault is structured for CSSA evidence retrieval.

OSFI inspection of ITAD documentation

OSFI inspections of FRFI technology operations typically include sampling of ITAD documentation for completeness. The four-criterion check (per-asset granularity, standard citation, verification evidence, chain-of-custody continuity) applies. Maxicom certificates pass all four; we have served OSFI inspections at multiple FRFI engagements without findings.