OSFI B-13 Penetration Testing

DarkPoint Security provides OSFI penetration testing services aligned to Guideline B-13, Technology and Cyber Risk Management. Our OSFI B-13 security assessments help federally regulated financial institutions — banks, insurance companies, trust companies, and cooperative credit associations — validate their security controls and demonstrate a mature approach to technology and cyber risk management.

  • Penetration testing aligned to OSFI B-13 Domain 3 — Technology Operations and Resilience
  • Red team exercises to test detection and response capabilities
  • Web application and cloud security assessments for critical financial systems
  • Reports structured for OSFI examination and board-level reporting
  • Third-party risk assessment support for outsourced technology services

Book A Meeting|

Loading...

What is OSFI Guideline B-13?

OSFI Guideline B-13, Technology and Cyber Risk Management, is a regulatory framework published by the Office of the Superintendent of Financial Institutions (OSFI) — the primary regulator of federally regulated financial institutions (FRFIs) in Canada. The guideline sets expectations for how banks, insurance companies, trust and loan companies, and cooperative credit associations identify, manage, and mitigate risks arising from their use of technology and their exposure to cyber threats.

Effective since 2024, Guideline B-13 consolidates and strengthens OSFI's earlier guidance on technology risk into a single, comprehensive framework. It is organized into three domains: Domain 1 covers Governance and Risk Management, Domain 2 addresses Technology Operations and Resilience, and Domain 3 focuses on Cyber Security. Each domain establishes specific outcomes that institutions must achieve, with particular emphasis on maintaining the confidentiality, integrity, and availability of technology assets and data that support critical business operations.

For Canadian federally regulated financial institutions, compliance with B-13 is mandatory. OSFI has the authority to assess adherence through supervisory reviews, on-site examinations, and ongoing monitoring. Institutions that fail to meet the guideline's expectations may face heightened supervisory scrutiny, conditions on business activities, or other regulatory interventions. OSFI B-13 penetration testing and independent security assessments are a core component of demonstrating that your institution meets the guideline's cyber security and operational resilience requirements.

OSFI B-13 Security Testing Requirements

Guideline B-13 establishes clear expectations for security testing as part of a financial institution's technology and cyber risk management program. The following areas are directly relevant to OSFI B-13 penetration testing engagements.

  • Domain 3 — Technology Operations and Resilience — OSFI expects institutions to maintain stable, secure, and resilient technology operations. This includes implementing a cyber security testing program that validates the effectiveness of preventive and detective controls across the institution's technology environment. Penetration testing directly addresses this domain by identifying exploitable weaknesses before threat actors can leverage them.
  • Cyber Security Testing Expectations — B-13 requires institutions to implement a comprehensive testing program proportionate to their risk profile. This includes regular vulnerability assessments to identify known weaknesses, penetration testing to validate whether vulnerabilities can be exploited in practice, and threat-led red team exercises for institutions with more complex risk profiles. Testing should cover internet-facing systems, internal infrastructure, and applications that support critical business services.
  • Vulnerability Assessments and Penetration Testing — Institutions must conduct regular vulnerability assessments and penetration tests to evaluate the effectiveness of their security controls. Testing should confirm that known vulnerabilities have been remediated, identify previously unknown security gaps, and validate that security architectures function as intended under adversarial conditions.
  • Red Team Exercises — For institutions with significant technology footprints or elevated risk profiles, OSFI expects threat-led penetration testing and red team exercises that simulate realistic, multi-stage attack scenarios. These exercises test the institution's ability to detect, respond to, and contain sophisticated cyber attacks targeting critical systems, sensitive data, and essential business services.
  • Third-Party Risk Assessment Requirements — Guideline B-13 requires institutions to assess and manage technology and cyber risks arising from third-party service providers, including cloud providers, managed service providers, and technology vendors. Penetration testing supports this requirement by evaluating the security of integration points, APIs, and data flows between the institution and its critical third parties.

How DarkPoint Helps You Meet OSFI B-13 Requirements

DarkPoint Security maps our penetration testing services directly to OSFI B-13 domains and outcomes, ensuring that every engagement produces results that support your institution's regulatory compliance posture and strengthen your overall security program.

  • External Network Penetration Testing — Assesses your institution's internet-facing infrastructure against real-world attack techniques, identifying vulnerabilities in perimeter defences, VPN gateways, and public-facing services that could allow unauthorized access to internal systems and sensitive financial data
  • Internal Network Penetration Testing — Simulates an insider threat or compromised endpoint within your corporate network, evaluating Active Directory security, lateral movement paths, privilege escalation opportunities, and access controls protecting critical financial systems and data repositories
  • Web Application Penetration Testing — Tests customer-facing banking portals, insurance platforms, internal applications, and payment processing systems for vulnerabilities including injection flaws, authentication bypasses, business logic errors, and session management weaknesses
  • Red Team Engagements — Conducts realistic, multi-phase attack simulations that test your institution's detection and response capabilities across people, processes, and technology, directly satisfying OSFI's expectations for threat-led testing of institutions with elevated risk profiles
  • Phishing Campaigns — Evaluates employee awareness and email security controls through targeted, realistic phishing simulations that test human-factor risk management — a key component of B-13's cyber security expectations
  • Cloud Penetration Testing — Evaluates the security of cloud-hosted infrastructure and services across AWS, Azure, and GCP, including identity and access management configurations, storage permissions, network segmentation, and compliance with the institution's cloud security policies

Our reports are structured with OSFI regulatory examination in mind. Each finding includes severity ratings, business impact analysis, and mapping to the relevant B-13 domain, providing your compliance, risk, and information security teams with the documentation needed to demonstrate adherence to OSFI expectations.

Our OSFI B-13 Testing Process

DarkPoint Security follows a structured methodology designed to produce thorough, regulator-ready results for federally regulated financial institutions.

  • Scoping Aligned to OSFI Expectations — We work with your technology risk, information security, and compliance teams to identify critical technology assets, essential business services, and third-party dependencies that fall within the scope of B-13. Scoping is informed by your institution's risk profile, OSFI's expectations for adequate testing coverage, and the criticality of systems that process, store, or transmit sensitive financial data.
  • Testing Methodology — Our security consultants perform comprehensive testing using industry-standard methodologies and threat intelligence relevant to the Canadian financial sector. Testing covers network infrastructure, web applications, cloud environments, and social engineering vectors as appropriate to the engagement scope. We simulate realistic attack scenarios that reflect the threat landscape facing federally regulated institutions, including tactics used by advanced persistent threat groups targeting the financial services industry.
  • Reporting for Regulators — We deliver a detailed report that includes an executive summary suitable for board and senior management review, technical findings with severity ratings and business impact assessments, explicit mapping to relevant OSFI B-13 domains and outcomes, and prioritized remediation recommendations. Reports are structured to support OSFI supervisory reviews, internal audit requirements, and board governance obligations under the guideline.
  • Remediation and Validation — After your team addresses the identified vulnerabilities, we perform retesting to confirm that remediation efforts are effective and do not introduce new security issues. This validation cycle demonstrates to OSFI examiners that your institution follows a complete security testing lifecycle — from identification through remediation to verification — as expected under a mature technology risk management program.

Relevant Services

DarkPoint Security offers the full range of penetration testing services needed to satisfy OSFI B-13 security testing expectations:

Frequently Asked Questions

OSFI Guideline B-13, Technology and Cyber Risk Management, is a regulatory framework issued by the Office of the Superintendent of Financial Institutions that applies to all federally regulated financial institutions in Canada, including banks, insurance companies, trust and loan companies, and cooperative credit associations. The guideline establishes expectations for how these institutions manage technology and cyber risks, including requirements for security testing such as penetration testing, vulnerability assessments, and red team exercises. Compliance is mandatory, and OSFI assesses adherence through supervisory reviews and examinations.

OSFI B-13 expects federally regulated financial institutions to conduct security testing on a regular basis, with the frequency determined by the institution's risk profile and the criticality of its technology assets. At minimum, institutions should perform penetration testing annually, with more frequent testing for critical systems, after significant changes to infrastructure, or following major incidents. OSFI expects institutions to maintain a risk-based testing program that includes vulnerability assessments, penetration testing, and red team exercises proportionate to the complexity and risk of their technology environment.

While OSFI B-13 does not explicitly mandate the use of third-party penetration testers, it emphasizes the need for independent and objective security assessments as part of a mature technology risk management framework. Engaging a qualified third-party firm like DarkPoint Security ensures that testing is conducted without internal bias, provides an external perspective on your security posture, and demonstrates to OSFI examiners that your institution takes its security testing obligations seriously. Independent third-party testing also supports the guideline's expectations around assurance activities and third-party risk management.

An OSFI B-13 penetration testing report should include a clearly defined scope aligned to the institution's critical technology assets and essential business services, an executive summary suitable for senior management and board-level reporting, detailed technical findings with severity ratings based on exploitability and business impact, evidence of exploitation attempts and potential consequences, explicit mapping of findings to relevant OSFI B-13 domains, and prioritized remediation recommendations. The report should be structured to support OSFI regulatory examination and demonstrate that the institution's security testing program meets the guideline's expectations for independent assurance.