Bank of Canada announces partnership to improve resilience in financial sector

The Bank of Canada today announced the launch of a public-private partnership to strengthen the resilience of Canada’s financial sector in the face of risks to business operations, including cyber incidents. The Canadian Financial Sector Resiliency Group (CFRG) will be responsible for coordinating a sector-wide response to systemic-level operational incidents. CFRG will also support ongoing resiliency initiatives, such as regular crisis simulation and benchmarking exercises. These efforts will reduce risk and help ensure a robust recovery in the event of an incident. The CFRG will start its work in August 2019.

Led by the Bank of Canada, this initiative brings together the following organizations:

• Department of Finance Canada
• Office of the Superintendent of Financial Institutions (OSFI)
• Canada’s systemically important banks
• Designated Canadian financial market infrastructures (FMIs), which include the payment, clearing and settlement systems

While the increased interconnectedness of the financial sector brings many benefits, it also means that an incident in one institution may spread to others and be amplified. Should an incident, such as a major cyber attack, threaten the operations of the financial sector’s critical infrastructure, the CFRG will coordinate the national response. Each member organization’s highest officials will be involved in crisis coordination.

“We need strong controls within each institution. And we need partnerships between public agencies and the private sector to bridge any gaps in coordination, especially when it comes to cyber risks,” said Bank of Canada Governor Stephen S. Poloz. “The CFRG brings together many of our trusted partners to work with us making our financial system safe and resilient.”

“Operational risks—including cyber attacks—are real, and they pose a threat to the payments system and in fact the entire financial system,” said Brian Porter, Chief Executive Officer of Scotiabank. “We look forward to working with the Bank of Canada and organizations across the sector to build a more resilient, more robust financial system that better protects our customers against new threats.”

Notes to editors

• The CFRG replaces the Joint Operational Resilience Management Program (JORM), which played a similar role but had a different membership base and did not have the mandate to look at resiliency coordination for cyber events.
• The creation of the CFRG is the latest of several initiatives by the Bank of Canada to enhance the cyber resilience of the Canadian and global financial sectors:
  • The Bank of Canada recently updated its own cyber strategy, which provides details about the Bank’s strategic approach to cyber security over the next three years and ensures the Bank implements the most effective ways to protect its systems and information.
  • The Bank of Canada also leads the Resiliency of the Wholesale Payments Systems program, created in 2018. This public-private partnership involves Canada’s six largest commercial banks and Payments Canada and aims to enhance the cyber resilience of the wholesale payments system. For further information, see the May 2018 speech “Strengthening Our Cyber Defences” by Bank of Canada Chief Operating Officer Filipe Dinis.
  • The Bank of Canada will continue to work with the federal government as part of the National Strategy for Critical Infrastructure, which identified the financial system as one of the critical infrastructure sectors in Canada.
  • As part of the Committee on Payments and Market Infrastructures, the Bank helped set high-level international principles to enhance FMIs’ cyber resilience through the publication of “Guidance on cyber resilience for financial market infrastructures.” The Bank now plans to set out more detailed expectations for how FMIs would meet the Bank’s cyber risk management standards.
  • The Bank, the Department of Finance and OSFI have collaborated with their G7 partners to publish three sets of guidelines targeted at the financial sector: cybersecurity principles, effective assessment of cybersecurity, and third-party cyber risk management.