Compliance & Security

OSFI B-13 Compliance for Toronto Financial Services Firms: A Practical Guide for 2026

By Damir Grubisa Founder & CEO, Group 4 Networks Updated July 13, 2026

OSFI Guideline B-13 requires federally regulated financial institutions to demonstrate technology and cyber risk management. Here is what Toronto firms need.

OSFI B-13 Compliance Toronto Financial Services: What Your Firm Must Have in Place

OSFI Guideline B-13 - Technology and Cyber Risk Management - came into full effect for federally regulated financial institutions (FRFIs) on July 1, 2023. Three years into its implementation, OSFI examiners are moving from initial gap assessment to active scrutiny of whether institutions have operationalized their B-13 programs.

For Toronto financial services firms - including trust companies, federally chartered banks, insurance companies, and investment dealers that fall under OSFI's mandate - the question has shifted from whether B-13 applies to whether your implementation can withstand examination.

This guide explains what B-13 requires, where Toronto firms commonly fall short, and how to build an IT governance program that satisfies OSFI's expectations.


What OSFI B-13 Requires

Guideline B-13 establishes OSFI's expectations for technology and cyber risk management across five domains:

Domain 1: Governance and Accountability

B-13 requires a clear governance structure for technology and cyber risk. This means a designated Senior Accountable Officer (SAO) with explicit board-level accountability for technology risk, technology risk appetite statements approved by the board, and regular reporting to the board on technology and cyber risk exposure.

For smaller Toronto FRFIs, this governance structure is often the hardest B-13 requirement to operationalize. Many have appointed an SAO in title without establishing the reporting cadence, risk appetite framework, and board-level oversight structure B-13 envisions. OSFI examiners ask for board minutes showing technology risk discussions, not just an organizational chart.

Domain 2: Technology Asset Management

B-13 requires FRFIs to maintain a complete, current inventory of technology assets - hardware, software, cloud services, and data assets. The inventory must include ownership, classification, and lifecycle information. OSFI's technology risk management expectations require that asset inventories be used to actively manage technology risk, not simply documented and filed.

This domain is where AI governance intersects directly with B-13. AI tools - including large language models used by staff, AI-powered SaaS platforms, and vendor systems that run AI against your data - are technology assets that must appear in your B-13 asset inventory. Shadow AI tools that have not been catalogued create an inventory gap that OSFI examiners specifically look for.

Domain 3: Technology Operations and Resilience

B-13 requires FRFIs to manage technology operations risk and maintain business resilience. This includes change management processes for technology changes, incident management capabilities with defined recovery time objectives (RTOs) and recovery point objectives (RPOs), capacity management for systems supporting critical operations, and tested business continuity and disaster recovery plans.

For Toronto financial services firms, the B-13 resilience requirements typically require a more formalized approach to change management and DR testing than many SMFIs have historically maintained. OSFI expects documented evidence of DR tests, not assertions that testing occurs.

Domain 4: Cyber Risk Management

B-13's cyber risk domain aligns closely with frameworks like NIST CSF and CIS Controls. Requirements include continuous vulnerability management, penetration testing of critical systems, third-party cyber risk management, and incident response capabilities with defined notification timelines.

The B-13 cyber incident notification requirement is particularly important: FRFIs are required to notify OSFI of technology incidents that meet defined thresholds within specific timeframes. A cyber incident response plan that does not include OSFI notification procedures is non-compliant on its face.

Domain 5: Third-Party Risk Management

B-13 requires FRFIs to apply technology and cyber risk management to all third parties that provide technology services or handle FRFI data. This includes cloud providers, software vendors, managed service providers, and any other party with access to FRFI systems or data. OSFI expects written contracts, due diligence records, and ongoing monitoring for all material technology third parties.


Where Toronto Financial Services Firms Commonly Fall Short

Based on common examination findings and industry discussions, three B-13 gaps appear most often at Toronto FRFIs:

Gap 1: Technology asset inventory gaps

The inventory requirement seems straightforward but in practice many firms have a combination of an incomplete CMDB, outdated software inventory, undocumented cloud services, and - increasingly - AI tools that were never formally catalogued. OSFI examiners ask to see the inventory and trace a sample of assets through it. Gaps are visible immediately.

Gap 2: Third-party risk program formalization

Many Toronto financial services firms have vendor relationships that predate B-13 and operate on contracts that contain no cyber risk provisions, no right-to-audit clauses, no data breach notification requirements, and no exit provisions for security failures. B-13 requires all material technology third parties to be under contracts and monitoring programs that reflect cyber risk requirements. Remediating a legacy vendor relationship backlog is the most time-consuming B-13 remediation activity for most firms.

Gap 3: Incident response and OSFI notification procedures

Cyber incident response plans are common, but many do not include OSFI-specific notification thresholds and timelines. B-13 requires notification to OSFI of technology incidents meeting defined materiality thresholds. If your incident response plan does not define those thresholds and the procedures for OSFI notification, your plan is incomplete for B-13 purposes.


Building a B-13-Compliant IT Program for Toronto Financial Firms

A B-13 compliance program for a Toronto FRFI with 20 to 200 employees involves five workstreams:

Workstream 1: Technology asset inventory

Build and maintain a current inventory of all technology assets using a combination of automated discovery and manual documentation. The inventory must include hardware, software, cloud services, and data assets. Classification (critical, important, standard) drives risk management priorities. Group 4 Networks deploys automated asset discovery tools as part of all managed IT engagements - the inventory is maintained continuously, not annually.

Workstream 2: AI governance and shadow AI remediation

All AI tools must be in the asset inventory, assessed for compliance risk, and governed under documented use policies. This includes approved tools, vendor-embedded AI, and any shadow AI identified through discovery. Our AI Governance service addresses this workstream specifically, combining shadow AI detection with ongoing monitoring.

Workstream 3: Third-party risk program

Review all technology vendor contracts for B-13-required provisions: cyber incident notification requirements, right-to-audit clauses, data security standards, and exit provisions. Prioritize material technology providers first - your managed IT provider, cloud platforms, and any SaaS handling regulated data. Implement a vendor risk assessment process for new technology engagements.

Workstream 4: Cyber incident response and OSFI notification

Update your incident response plan to include: B-13 materiality thresholds for OSFI notification, specific notification timelines and contact procedures for OSFI, and tabletop exercise scheduling (OSFI expects evidence of regular testing). Group 4 Networks' cyber incident response retainer includes OSFI notification procedures specifically for financial services clients.

Workstream 5: Governance documentation and board reporting

Establish a quarterly board reporting cadence for technology and cyber risk. Reports should include: risk exposure summary against your technology risk appetite, significant technology incidents and near-misses, third-party risk status, and remediation program progress. OSFI examiners review board minutes for evidence that these discussions are occurring.


How Group 4 Networks Supports OSFI B-13 Compliance

Group 4 Networks has served 200+ GTA businesses with managed IT, cybersecurity, and compliance services since 2008, with a 15-minute critical response SLA and 99.9% uptime guarantee. For Toronto financial services clients, our services address each B-13 workstream:

Technology asset management: Automated asset discovery, continuous inventory maintenance, and classification aligned with B-13 risk tiers.

AI governance and shadow AI detection: Full shadow AI audit, AI Risk Register, and ongoing monitoring integrated with your B-13 asset inventory. See our AI Governance service for details.

Cyber risk management: 24/7 SOC monitoring, vulnerability management, penetration testing coordination, and incident response with OSFI notification procedures built in.

Compliance-as-a-Service: Continuous compliance monitoring, audit-ready evidence generation, and quarterly compliance reviews that produce the documentation OSFI examiners request.

Third-party risk support: Vendor contract review, due diligence assessment support, and ongoing third-party monitoring for your material technology vendors.

We work alongside your legal and compliance teams - we are the IT implementation layer that turns B-13 policy commitments into technical controls and documented evidence.

Call us at (416) 623-9677 or book a B-13 readiness assessment to understand your current gaps.


Frequently Asked Questions

What is OSFI Guideline B-13 and who does it apply to?

OSFI Guideline B-13 - Technology and Cyber Risk Management - applies to all federally regulated financial institutions (FRFIs) in Canada, including federally chartered banks, trust companies, insurance companies, and federally regulated investment dealers. It came into full effect July 1, 2023. If your Toronto financial services firm is federally regulated under OSFI's mandate, B-13 applies to your technology and cyber risk management program.

What are the most common B-13 compliance gaps for Toronto financial services firms?

The three most common gaps are: incomplete technology asset inventories (particularly for cloud services and AI tools), third-party vendor contracts that predate B-13 and lack required cyber risk provisions, and incident response plans that do not include OSFI-specific notification thresholds and procedures. Group 4 Networks conducts B-13 readiness assessments that identify and prioritize these gaps.

How does OSFI B-13 treat AI tools and shadow AI?

B-13's technology asset management domain requires FRFIs to maintain a complete, current inventory of technology assets - which includes AI tools. Shadow AI tools that have not been catalogued create an inventory gap that OSFI examiners specifically look for. B-13 also requires third-party risk management for all technology vendors, which extends to AI service providers. Our AI Governance service addresses both requirements.

Does B-13 require penetration testing?

Yes. B-13's cyber risk management domain requires FRFIs to conduct penetration testing of critical systems. OSFI expects evidence of testing - documented test results and remediation records - not assertions that testing occurs. The frequency and scope of required testing scales with the institution's risk profile and the criticality of the systems tested.

How quickly must FRFIs notify OSFI of a technology incident?

B-13 requires FRFIs to notify OSFI of technology incidents meeting defined materiality thresholds. Notification timelines vary by incident severity - significant technology incidents require notification "as soon as possible" after the institution becomes aware. Your incident response plan must define B-13 materiality thresholds and include specific OSFI notification procedures and contact information.


Group 4 Networks has delivered managed IT, cybersecurity, and compliance services to 200+ GTA businesses since 2008. Our 15-minute P1 response SLA and 99.9% uptime guarantee are contractual commitments, not marketing claims.

Need IT support in Toronto?
(416) 623-9677  ·  Contact Group 4 Networks
About the Author

Damir Grubisa is the Founder & CEO of Group 4 Networks, Toronto's leading managed IT services provider and cybersecurity firm serving the Greater Toronto Area since 2008. With 15+ years of experience in managed IT, cybersecurity, cloud solutions, and compliance consulting, Damir has helped 200+ GTA businesses protect their infrastructure, achieve regulatory compliance, and scale their technology operations.

Connect with Damir on LinkedIn →