OSFI’s Intelligence-led Cyber Resilience Testing (I-CRT) is one of the most demanding cyber assessments a Canadian financial institution can face. It is not a compliance checkbox, a routine penetration test, or a tabletop exercise; instead, I-CRT is designed to answer the question of, "Can your organization withstand a realistic, intelligence-driven cyberattack against what matters most?"
For institutions approaching an OSFI-supervised I-CRT cycle (or proactively preparing for one), meaningful readiness is achievable within 90 days if the effort is focused, executive-backed, and disciplined.
Today's guide breaks down what “ready” actually means... and how to get there.
What Does Being "I-CRT Ready" Entail?
Before diving into timelines, it’s critical to reset expectations. Being ready for I-CRT does not mean:
Instead, readiness means:
Your Critical Business Functions (CBFs) are clearly defined, defensible, and mapped
Governance, risk controls, and decision authority are in place
Detection, response, and recovery processes are real, not theoretical
Your team can safely run a live, intelligence-led attack simulation without losing control
OSFI doesn't prioritize whether attackers get in; instead, its focus is on how your organization responds when they do.
Your I-CRT 90-Day Readiness Model
A practical 90-day I-CRT readiness program typically breaks down into three phases:
Days 1 to 30: Foundation and governance
Days 31 to 60: Threat, control, and response readiness
Days 61 to 90: Validation, dry runs, and gaps validation
Each phase builds on the last.
Days 1–30: Build a Governance-First I-CRT Foundation
1. Validate Services
In the first 30 days, experts advise that you should:
Validate which services are truly critical to financial stability, customers, or market confidence
Clearly define impact tolerance (time, data loss, operational disruption)
Identify people, processes, technology, and third parties that support each CBF
Ensure executive and board-level alignment on what is “in scope”
2. Establish the I-CRT Control Group
The Control Group is the single most important success factor in I-CRT. This small, trusted group owns risk, secrecy, and decision-making throughout the exercise.
By Day 30, your team should:
Appoint a Control Group Coordinator (CGC) with authority and availability
Define clear escalation and stop/pause criteria
Formalize “need-to-know” membership (keep it small)
Align Legal, Risk, IT, and Security teams on rules of engagement
3. Test Operational Secrecy
I-CRT depends on surprise. If word leaks internally, detection and response results are meaningless.
Early actions include:
Defining how the exercise will be referenced internally (code name, neutral language)
Restricting calendar entries, tickets, and documentation visibility
Establishing communication rules for vendors and internal teams
Days 31–60: Prepare for Realistic Attack and Real Response
1. Cement Detection and Response
In this phase, experts recommend to prioritize:
SOC alert triage and escalation paths
Incident command structure and authority
Decision-making under pressure
Legal, communications, and executive engagement triggers
Example questions to ask during this phase include, but are not limited to:
2. Validate Logging, Visibility, and Telemetry
Red Teams thrive in blind spots. I-CRT will expose them quickly.
During this phase:
Confirm logging coverage across identity, endpoints, networks, and cloud
Validate log retention and access for investigators
Test whether analysts can actually reconstruct attacker activity
6. Align with third parties and critical vendors
Many CBFs depend on outsourced or cloud services. If your third parties aren’t ready, neither are you.
Actions to take:
Identify which vendors are in scope for CBFs
Confirm escalation and incident notification paths
Ensure contracts and SLAs support active testing scenarios
Days 61–90: Validate, Rehearse, and Close Gaps
1. Run a Trial Purple Team
Before an I-CRT, mature organizations run limited-scope rehearsals to validate assumptions without burning secrecy.
This can include:
Simulated ransomware or identity compromise scenarios
Walkthroughs of decision-making and communications
Validation of tooling and access for responders
8. Stress-Test Governance.
Next, it is advised to test:
Control Group decision speed
The ability to pause or stop activity
Coordination between Security, IT Ops, Risk, Legal, and Executives
If decisions stall or authority is unclear, resolve it immediately. OSFI will notice hesitation more than technical gaps.
I-CRT findings are inevitable. What matters is how you respond to them.
Before execution:
Agree on how findings will be prioritized
Define ownership for remediation tracking
Align on how outcomes will be communicated to OSFI and internal stakeholders
Common Mistakes That Derail I-CRT Readiness
Across institutions, the same issues appear repeatedly:
Treating I-CRT like a penetration test
Over-scoping
Letting secrecy erode due to internal curiosity
Ignoring non-technical response functions (namely Legal, Communications, and Executives)
Assuming detection equals response
Avoiding these pitfalls is often more impactful than adding new security controls.
Conclusion
Getting ready for I-CRT in 90 days is less about technology and more about organizational discipline. Institutions that succeed treat I-CRT as a leadership-led resilience exercise, not a security team project.
If you can clearly answer:
What matters most?
Who decides under pressure?
How quickly can we detect, respond, and recover?
Your team is closer to I-CRT readiness than you may think.
Reach out today to take the next step towards being ready for OSFI's I-CRT.
