main logo icon

Published on

July 7, 2026

|

12 min read

OSFI B-13 and I-CRT: Who Needs Intelligence-Led Red Teaming in Canada

OSFI's Intelligence-led Cyber Resilience Testing (I-CRT) framework applies to Canada's six SIBs and its IAIGs. This 2026 guide explains I-CRT, how it relates to Guideline B-13 and E-21, an are-you-in-scope decision, and what every other FRFI should do.

Arafat Afzalzada

Arafat Afzalzada

Founder

Advisories

Summarize with AI

ChatGPTPerplexityGeminiGrokClaude

TL;DR

OSFI's Intelligence-led Cyber Resilience Testing (I-CRT) framework is a controlled, intelligence-led red team run against the systems behind a financial institution's critical business functions. Its current scope is narrow: all Systemically Important Banks (SIBs), which are Canada's six D-SIBs, and all Internationally Active Insurance Groups (IAIGs). If you are not a SIB or an IAIG, you are not in the formal I-CRT population. The framework is explicit that I-CRT concepts apply to all FRFIs in general, but the framework's current scope is limited to those two groups. Every FRFI still faces testing expectations under Guideline B-13, which came into effect on 1 January 2024 and asks institutions to regularly perform penetration testing, red teaming, and vulnerability assessments. Guideline E-21 adds operational-resilience testing of critical operations. In-scope institutions should plan for a multi-month, four-phase engagement (initiation, threat intelligence, red team execution, and closure) run at least once every three-year supervisory cycle, coordinated with OSFI. Everyone else should adopt the intelligence-led mindset at a proportionate scale: threat-informed penetration testing and red teaming that produces the evidence B-13 expects, without waiting to be designated.

OSFI's Intelligence-led Cyber Resilience Testing (I-CRT) framework applies to a deliberately small group of institutions. Published in April 2023, the framework defines I-CRT as "a controlled-threat assessment of FRFI's cyber resilience" that "leverages targeted threat intelligence and simulates the advanced tactics, techniques, and procedures used by a sophisticated threat actor," per OSFI's I-CRT framework. Its current scope is explicit: "While I-CRT concepts in general apply to all FRFIs, the current scope of the I-CRT framework applies to all Systemically Important Banks (SIBs) and Internationally Active Insurance Groups (IAIGs)." In Canada, the SIB group is the six domestic systemically important banks: BMO, Scotiabank, CIBC, National Bank of Canada, RBC, and TD.

The direct answer most federally regulated financial institutions (FRFIs) are looking for is this: if you are not one of the six SIBs or an IAIG, you are not in the formal I-CRT population and are not expected to run the full OSFI-coordinated exercise. That does not put you off the hook for offensive testing. Guideline B-13, Technology and Cyber Risk Management, effective 1 January 2024, expects every FRFI to "regularly perform tests and exercises, to identify vulnerabilities or control gaps in its cyber security programs (e.g., penetration testing and red teaming)." This guide is for compliance, risk, and security leaders at Canadian FRFIs who need to know whether I-CRT applies to them, what an assessment involves, and what proportionate testing looks like when it does not.

This is the Stingrai research team's 2026 reference on OSFI's I-CRT framework and how it sits alongside B-13 and E-21. It draws only on primary OSFI sources, and every claim below links to its source so any statement can be audited inline. Regulatory content is current to July 2026.

TL;DR: what a Canadian FRFI needs to know

  • I-CRT is intelligence-led, not a checklist scan: OSFI defines it as a controlled-threat assessment that "leverages targeted threat intelligence and simulates the advanced tactics, techniques, and procedures used by a sophisticated threat actor" (OSFI I-CRT framework).

  • Current scope is two groups only: all Systemically Important Banks (SIBs) and all Internationally Active Insurance Groups (IAIGs) (OSFI I-CRT framework).

  • The SIB group is six banks: BMO, Scotiabank, CIBC, National Bank of Canada, RBC, and TD are OSFI's designated domestic systemically important banks (OSFI, Systemically Important Banks).

  • Cadence for in-scope institutions: at least once during each three-year supervisory cycle, beginning in 2023 (OSFI news release, 21 April 2023).

  • B-13 covers everyone: effective 1 January 2024, Guideline B-13 expects all FRFIs to run penetration testing, red teaming, and regular vulnerability assessments (OSFI Guideline B-13).

  • E-21 adds resilience testing: Guideline E-21 expects FRFIs to identify critical operations and test their ability to stay within tolerances for disruption, with full adherence expected by 1 September 2026 (OSFI E-21 backgrounder).

  • I-CRT is regulatory-led: OSFI provides guidance and oversight throughout, so in-scope institutions coordinate the exercise with their supervisor rather than run it privately (OSFI I-CRT framework).

Key takeaways

Scope is the whole story: I-CRT is for six banks and the IAIGs, no one else, yet. OSFI states the framework's current scope is "all Systemically Important Banks (SIBs) and Internationally Active Insurance Groups (IAIGs)," while noting the concepts "in general apply to all FRFIs" (OSFI I-CRT framework). A mid-market bank, trust company, smaller insurer, or federal credit union should plan around B-13 and E-21, not a designation it will not receive today.

Being out of I-CRT scope is not being out of testing scope. B-13 already asks every FRFI for penetration testing and red teaming, and E-21 asks for resilience testing of critical operations (B-13, E-21). The real distinction is not tested versus untested, but intelligence-led-and-OSFI-coordinated versus proportionate-and-self-directed.

Third parties to the big banks inherit the expectation. A provider inside a D-SIB's supply chain is not itself a SIB, but B-13's third-party provisions push cyber and resilience expectations down the chain through contracts and due diligence. Showing credible penetration testing and red teaming is increasingly a condition of doing business with a designated institution.

Intelligence-led is a methodology you can borrow before you are mandated. The value in I-CRT is the threat-informed framing: test the way a real adversary would attack the functions that matter, not just the assets a scanner can reach. Any FRFI can adopt that mindset now, at a scale that fits its risk profile, and treat it as the on-ramp if its scope ever changes.

Methodology and sources

This reference relies exclusively on primary OSFI publications retrieved and verified in July 2026: the I-CRT framework and its 21 April 2023 launch release, Guideline B-13, Guideline E-21 and its backgrounder, and OSFI's designation of Canada's systemically important banks. Direct quotations are reproduced from those pages, and phase-duration ranges reflect the indicative timelines in the framework, shown as approximate. Where OSFI does not publish a specific number, the point is described qualitatively rather than estimated.

What is intelligence-led cyber resilience testing (I-CRT)?

Intelligence-led cyber resilience testing is OSFI's Canadian implementation of the threat-led red teaming model regulators worldwide have adopted. The OSFI I-CRT framework describes it as a "controlled-threat assessment of FRFI's cyber resilience" built on "targeted threat intelligence" that simulates the "advanced tactics, techniques, and procedures used by a sophisticated threat actor." Canada's framework sits in the same family as the Bank of England's CBEST and the European Central Bank's TIBER-EU, and shares their defining logic: start from who would realistically attack this institution, then test whether it can prevent, detect, and respond.

Two features separate I-CRT from a standard penetration test. First, it is intelligence-led: a dedicated threat-intelligence phase profiles relevant adversaries and their tactics before any active testing, so the red team emulates a plausible attacker rather than a generic checklist. Second, it is anchored to critical business functions, the operations that, if disrupted, could affect financial stability, so the test is scoped around the people, processes, and technology behind those functions rather than an arbitrary list of IP ranges. It is also regulatory-led: OSFI provides guidance and oversight throughout, which is exactly why the scope is narrow. The exercise is resource-intensive, so OSFI has focused it on the institutions whose failure would matter most to the system.

Are you in scope? An I-CRT decision guide

The scope question has a clean answer, and it is worth stating plainly before anyone spends budget on the wrong assumption.

Osfi Icrt Scope Decision

You are in the current I-CRT population if you are one of Canada's six Systemically Important Banks or an Internationally Active Insurance Group. OSFI recommends these institutions conduct an I-CRT at least once each three-year supervisory cycle, coordinated with and overseen by OSFI. Engage your supervisory team early, and confirm the exact expectations for provider accreditation and oversight directly with OSFI, because those specifics govern how the test must be run.

You are outside formal I-CRT scope if you are any other FRFI: a mid-market bank, a trust or loan company, a smaller or mono-line insurer, a federal credit union, or a foreign bank or insurance branch. The framework's concepts apply to all FRFIs in general, but the current formal scope does not reach you. You will not be asked to run an OSFI-coordinated I-CRT, and you should not buy one as though you were designated.

A third group deserves a mention: technology, cloud, and service providers inside a designated institution's supply chain. You are not a SIB, but your D-SIB and IAIG customers are, and B-13's third-party risk expectations flow down to you through their vendor due diligence and contracts. In practice, that means evidencing real penetration testing and red teaming even though you will never receive an I-CRT designation of your own.

What an I-CRT assessment involves

For in-scope institutions, an I-CRT is a multi-month program, not a one-week test. The OSFI I-CRT framework organizes it into four phases, with OSFI oversight across all of them.

Osfi Icrt Assessment Phases
  1. Initiation (approximately 6 to 8 weeks). The institution and OSFI agree scope, governance, and rules of engagement, and identify the critical business functions and systems the test will target. A small internal control group manages the exercise in confidence.

  2. Threat intelligence (approximately 6 to 10 weeks). A threat-intelligence provider produces a targeted report on the adversaries most likely to attack the institution and the tactics they would use, turning generic threat data into institution-specific attack scenarios.

  3. Red team execution (approximately 8 to 12 weeks). The red team runs the agreed scenarios against live systems supporting critical business functions while defenders remain unaware. This detection-and-response measurement is the point of the exercise, so a realistic, unhurried window matters.

  4. Closure and remediation (approximately 4 to 6 weeks). Findings are delivered, the institution runs a purple-team replay to review what was detected and missed, and remediation plans are agreed. The real value is captured here, in the fixes and detection improvements the test drives.

Because OSFI coordinates and oversees the exercise, the timeline stretches further once supervisory scheduling and remediation follow-through are included. In-scope institutions should treat I-CRT as a standing program, not a date on a calendar.

B-13 and E-21: what every other FRFI should do

The institutions outside I-CRT scope are the majority of the sector, and OSFI has not left them without testing expectations. Two guidelines carry the weight.

Osfi Icrt Regulatory Stack

Guideline B-13 is the base layer, effective 1 January 2024 and applicable to "all federally regulated financial institutions (FRFIs), including foreign bank branches and foreign insurance company branches." It is organized around three domains: governance and risk management, technology operations and resilience, and cyber security. Within cyber security, it expects FRFIs to "regularly perform tests and exercises, to identify vulnerabilities or control gaps in its cyber security programs (e.g., penetration testing and red teaming)," and to conduct "regular vulnerability assessments." That is a direct, universal expectation of offensive testing, not a suggestion reserved for the largest banks.

Guideline E-21, Operational Risk Management and Resilience, is the resilience layer. Published 22 August 2024, it expects FRFIs to identify their critical operations, set tolerances for how long they can be disrupted, and test their ability to stay within those tolerances, with full adherence expected by 1 September 2026. E-21 shifts the question from "is this control present" to "can this institution keep delivering when something goes wrong," precisely what intelligence-led testing is built to answer.

Read together, B-13 and E-21 make the practical expectation for a non-SIB FRFI a recurring, threat-informed testing program covering the systems behind its critical operations. The difference from a formal I-CRT is one of scale, coordination, and supervisory oversight, not of kind. For how these testing modes fit together, see our explainers on red team versus penetration test versus continuous validation and continuous red teaming versus the annual pentest.

How to evaluate an intelligence-led testing partner

The partner selection criteria rhyme across a formal I-CRT and a proportionate B-13-aligned program. Use these when you evaluate providers.

  1. Firm-level accreditation. Individual certifications matter, but a firm-level accreditation such as CREST speaks to the provider's methodology and quality assurance as an organization. Confirm the accreditation is held by the firm, not just a few staff.

  2. Genuine threat-intelligence capability. Intelligence-led testing lives or dies on the intelligence phase. Ask how the provider builds institution-specific threat scenarios, and how that function stays independent of the red team.

  3. Depth in the vulnerability classes that break banks. Broken authorization, insecure direct object references (IDOR), and business-logic flaws are where financial applications actually fail, and they are the classes generic scanners miss. Ask how the provider finds them.

  4. Detection-and-response focus. A credible red team measures whether your blue team sees the attack, not just whether a vulnerability exists. Confirm the engagement tests detection and response, with a purple-team review at the end.

  5. Canadian regulatory fluency. A partner who understands the B-13 domains and the E-21 resilience model produces evidence that maps cleanly to supervisory review, rather than a generic report you have to translate.

For formal I-CRT engagements specifically, confirm the provider's fit against OSFI's oversight and accreditation expectations directly with your supervisory team before you contract.

Where Stingrai fits: proportionate, intelligence-led testing that supports B-13

Most Canadian FRFIs sit outside formal I-CRT scope but squarely inside B-13 and E-21. That is exactly the gap Stingrai is built to serve.

Osfi Icrt Proportionate Program

Stingrai runs threat-informed penetration testing, red teaming, and adversary simulation scoped around the critical business functions OSFI cares about, at a scale that fits a mid-market institution rather than a systemic bank. On the web application side, Stingrai's autonomous agent Snipe hunts the high-impact classes that break financial applications, including IDOR, business-logic flaws, and broken access control, while senior human pentesters lead the network, cloud, and social-engineering scenarios that make an intelligence-led exercise realistic. This produces the penetration testing and red teaming evidence that supports your B-13 and E-21 programs and the artefacts you bring to supervisory review.

Stingrai is a Canada-based firm, founded in 2021 and headquartered in Toronto with a London office, and a CREST-accredited penetration testing service provider whose team holds certifications including OSCP, OSCE3, OSWE, CRTO, and CREST CRT. Continuous coverage through Stingrai's PTaaS program keeps the systems behind your critical operations under pressure between annual cycles, so testing evidence stays current rather than going stale after a point-in-time report. For scoping and pricing, see the Stingrai pricing page, and for how this compares to the European model, our DORA threat-led penetration testing playbook.

Frequently Asked Questions

What is OSFI's I-CRT framework, and which Canadian financial institutions need it?

I-CRT, or Intelligence-led Cyber Resilience Testing, is OSFI's framework for controlled, intelligence-led red team testing of a financial institution's cyber resilience, defined as an assessment that "leverages targeted threat intelligence and simulates the advanced tactics, techniques, and procedures used by a sophisticated threat actor." Its current scope is all Systemically Important Banks (SIBs), Canada's six D-SIBs, and all Internationally Active Insurance Groups (IAIGs), per the OSFI I-CRT framework. Every other FRFI is outside the formal population.

Which banks are Canada's Systemically Important Banks?

OSFI has designated six domestic systemically important banks: BMO, Scotiabank, CIBC, National Bank of Canada, RBC, and TD, per OSFI's Systemically Important Banks page. RBC and TD are also global systemically important banks. These six, plus IAIGs, make up the current I-CRT population.

How often does OSFI expect an I-CRT assessment?

For in-scope institutions, OSFI recommends conducting an I-CRT at least once during each three-year supervisory cycle, beginning in 2023, per the OSFI news release. Because the exercise is coordinated with and overseen by OSFI, readiness is best treated as a standing program rather than a single scheduled date.

Does Guideline B-13 require penetration testing?

In effect, yes. Guideline B-13, effective 1 January 2024 and applicable to all FRFIs, expects institutions to "regularly perform tests and exercises, to identify vulnerabilities or control gaps in its cyber security programs (e.g., penetration testing and red teaming)," plus regular vulnerability assessments. Penetration testing is a universal expectation, even well outside I-CRT scope.

What is the difference between I-CRT and a standard penetration test?

A standard penetration test is usually scope-defined and driven by a checklist of assets and known vulnerability classes. I-CRT is intelligence-led: a dedicated threat-intelligence phase shapes bespoke scenarios that emulate a specific adversary against the systems behind critical business functions, with defenders unaware so detection and response can be measured. I-CRT is also coordinated with and overseen by OSFI, which a private penetration test is not.

We are a mid-market FRFI, not a SIB. What should we do?

Build a proportionate, threat-informed testing program: map your critical business functions and the systems behind them, run regular penetration testing and red teaming against those systems, and test whether your team detects and responds, all at a scale that fits your risk profile. That satisfies the B-13 testing expectation and supports E-21 without waiting to be designated.

How does E-21 relate to cyber testing?

Guideline E-21 expects FRFIs to identify critical operations, set disruption tolerances, and test their ability to stay within them, with full adherence expected by 1 September 2026. It complements B-13: B-13 asks whether your controls are sound and tested, while E-21 asks whether the institution keeps delivering critical operations when something fails. Intelligence-led testing helps answer both.

Are D-SIB technology vendors affected by I-CRT?

Not directly, but they feel the pull. A vendor in a designated bank's supply chain is not itself a SIB and will not receive an I-CRT designation. However, B-13's third-party risk expectations flow down through the bank's vendor due diligence and contracts, so suppliers are increasingly asked to evidence credible penetration testing and red teaming to keep the relationship.

References

  1. Office of the Superintendent of Financial Institutions (OSFI). Intelligence-led Cyber Resilience Testing (I-CRT) Framework. Published April 2023. https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/osfis-intelligence-led-cyber-resilience-testing-crt-framework. Defines I-CRT as a controlled, intelligence-led threat assessment, sets the current scope to all SIBs and IAIGs, describes the four assessment phases, and frames it as a regulatory-led activity with OSFI oversight throughout.

  2. Office of the Superintendent of Financial Institutions (OSFI). OSFI releases new framework to strengthen financial institutions' resilience to cyber-attacks. News release, 21 April 2023. https://www.osfi-bsif.gc.ca/en/news/osfi-releases-new-framework-strengthen-financial-institutions-resilience-cyber-attacks. Announces the I-CRT framework, confirms the at-least-once-per-three-year-supervisory-cycle cadence beginning in 2023, and states the framework applies to systemically important banks and internationally active insurance groups.

  3. Office of the Superintendent of Financial Institutions (OSFI). Guideline B-13: Technology and Cyber Risk Management. Effective 1 January 2024. https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/technology-cyber-risk-management. Applies to all FRFIs including foreign bank and insurance branches, is organized around three domains, and expects regular penetration testing, red teaming, and vulnerability assessments within its cyber security domain.

  4. Office of the Superintendent of Financial Institutions (OSFI). Systemically Important Banks. https://www.osfi-bsif.gc.ca/en/supervision/financial-institutions/banks/systemically-important-banks. Designates Canada's six domestic systemically important banks (BMO, Scotiabank, CIBC, National Bank of Canada, RBC, and TD) and notes the additional requirements, including the Domestic Stability Buffer, that apply to them.

  5. Office of the Superintendent of Financial Institutions (OSFI). Guideline E-21: Operational Risk Management and Resilience. Published 22 August 2024. https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/operational-risk-management-resilience-guideline. Expects FRFIs to identify critical operations, set tolerances for disruption, and test their ability to remain within those tolerances.

  6. Office of the Superintendent of Financial Institutions (OSFI). Backgrounder: Guideline E-21, Operational Risk and Resilience. 22 August 2024. https://www.osfi-bsif.gc.ca/en/news/backgrounder-guideline-e-21-operational-risk-resilience. Confirms the 22 August 2024 publication date and the 1 September 2026 expectation for full adherence and operationalization.

0 views

0

X

Related reading

Do You Need an Emergency Pentest After a Security Incident? First 48 Hours
Advisories

Do You Need an Emergency Pentest After a Security Incident? First 48 Hours

Do you need an emergency penetration test after a security incident? IR first, pentest second: triggers, the first-48-hours checklist, and timelines.

9 min read

How Much Does a Red Team Engagement Cost in 2026, and What Drives the Price
Advisories

How Much Does a Red Team Engagement Cost in 2026, and What Drives the Price

Red team engagements are priced on tester-days. See the 2026 cost drivers, how red team cost differs from a pentest, and how to budget before an RFP.

11 min read

What a Continuous Autonomous Pentest Looks Like: A Sample Four Week Engagement Log
Advisories

What a Continuous Autonomous Pentest Looks Like: A Sample Four Week Engagement Log

See continuous autonomous penetration testing deliverables in practice: triggers, cadence, an illustrative four-week engagement log, and what you get.

9 min read

Contents

X