Skip to main content
Packetlabs Company Logo
Blog

Intelligence-Led Cyber Resilience Testing (I-CRT) Framework for Financial Institutions

Authored By Packetlabs

Intelligence-Led Cyber Resilience Testing (I-CRT) Framework for Financial Institutions

Cyber threats against financial institutions continue to increase in sophistication, frequency, and business impact. Traditional penetration testing remains an important component of cybersecurity programs, but regulators increasingly recognize that point-in-time testing alone cannot accurately measure an organization's ability to withstand modern, intelligence-driven attacks.

To address this challenge, the Office of the Superintendent of Financial Institutions (OSFI) introduced the Intelligence-Led Cyber Resilience Testing (I-CRT) Framework. Rather than focusing solely on identifying technical vulnerabilities, I-CRT evaluates whether a federally regulated financial institution (FRFI) can prevent, detect, respond to, and recover from realistic attacks targeting its most critical business functions.

For Canadian banks, insurers, and other regulated financial organizations, understanding the I-CRT framework is becoming increasingly important.

This guide explains what the I-CRT framework is, how it differs from traditional penetration testing, and what organizations should do to prepare.

What is OSFI's Intelligence-Led Cyber Resilience Testing Framework?

OSFI's Intelligence-Led Cyber Resilience Testing (I-CRT) Framework is a regulatory-led methodology designed to assess the cyber resilience of federally regulated financial institutions using realistic threat intelligence and controlled red team exercises.

Unlike conventional penetration tests that focus primarily on finding technical vulnerabilities, I-CRT combines:

  • Commercial threat intelligence

  • Advanced red team operations

  • Regulatory oversight

  • Risk management

  • Executive governance

  • Critical business function testing

The goal is to evaluate how effectively an organization can withstand sophisticated cyberattacks that mirror real-world adversaries targeting Canada's financial sector.

Why OSFI Developed the I-CRT Framework

The financial services industry remains one of the most targeted sectors globally.

Threat actors include:

  • Nation-state groups

  • Organized cybercriminals

  • Ransomware operators

  • Financially motivated attackers

  • Insider threats

Traditional security testing often identifies individual vulnerabilities but may not demonstrate how attackers could chain multiple weaknesses together to disrupt critical operations.

OSFI developed the I-CRT framework to:

  • Improve sector-wide cyber resilience

  • Test real-world attack scenarios

  • Validate security controls

  • Identify operational weaknesses

  • Strengthen incident response capabilities

  • Protect financial stability

Rather than asking, "Can this server be compromised?" I-CRT asks, "Could a sophisticated adversary disrupt this critical business function?"

What Are Critical Business Functions (CBFs)?

One of the defining characteristics of I-CRT is its focus on Critical Business Functions (CBFs).

OSFI defines CBFs as the people, processes, and technology required to deliver critical operations that, if disrupted, could materially affect an institution's resilience, customers, safety, soundness, or market conduct.

Examples include:

  • Retail banking services

  • Payment processing

  • Online banking

  • Treasury operations

  • Claims processing

  • Trading systems

  • Customer authentication

  • Core insurance platforms

Rather than testing every asset equally, I-CRT prioritizes systems supporting these essential services.

Traditional Penetration Testing vs. Red Teaming vs. I-CRT

One of the most valuable aspects of OSFI's guidance is its clear distinction between three common security testing approaches.

Feature

Traditional Penetration Testing

Red Team Exercise

Intelligence-Led Cyber Resilience Testing (I-CRT)

Primary Objective

Identify vulnerabilities

Simulate realistic attackers

Validate cyber resilience against real threat intelligence

Scope

Technology-focused

People, Process, Technology

Critical Business Functions (CBFs) across People, Process, and Technology

Threat Intelligence

Limited

General attacker emulation

Targeted intelligence based on realistic threats

Focus

Technical weaknesses

Security control effectiveness

Operational resilience

Regulatory Oversight

No

Usually no

Yes (OSFI oversight)

Deliverables

Vulnerability report

Attack narrative and findings

Resilience assessment and remediation roadmap

As sophistication increases, the assessment becomes less about finding isolated vulnerabilities and more about evaluating whether the organization can withstand genuine attack scenarios.

The Role of Targeted Threat Intelligence in I-CRT

Threat intelligence sits at the heart of the I-CRT methodology.

Rather than relying on generic attack techniques, intelligence providers develop tailored scenarios based on:

  • The institution's infrastructure

  • Industry threats

  • Current attacker tactics, techniques, and procedures (TTPs)

  • Nation-state activity

  • Organized cybercrime

  • Financial sector targeting

This intelligence is then used to inform the red team's actions.

The result is a highly realistic assessment based on how sophisticated adversaries would target the institution today.

The Five Key Stakeholders in an I-CRT Assessment

Successful I-CRT engagements require coordination between multiple independent parties.

Stakeholder

Primary Responsibility

FRFI Control Group

Overall governance, risk management, coordination

OSFI

Oversight, supervision, review of findings

Threat Intelligence Provider (TIP)

Develop targeted threat intelligence

Red Team Provider (RTP)

Execute intelligence-driven attack simulations

Senior Executive Sponsor

Organizational accountability and strategic oversight

This separation of responsibilities ensures objectivity while maintaining regulatory confidence in the testing process.

The Four Phases of an I-CRT Assessment

OSFI divides an I-CRT engagement into four primary phases.

Phase

Typical Duration

Primary Activities

Initiation

6 - 8 weeks

Scoping, governance, procurement, planning

Threat Intelligence

6- 10 weeks

Threat actor profiling, scenario development, target analysis

Execution

8 - 12 weeks

Red team assessment, attack simulation, resilience testing

Closure

4 - 6 weeks

Reporting, remediation planning, executive review

Risk management is expected throughout every phase to ensure testing is conducted safely and without unacceptable operational disruption.

Why I-CRT Is Different From Traditional Red Teaming

Many organizations assume I-CRT is simply another red team exercise.

It is considerably broader.

Traditional red teams primarily answer:

"Can we reach the objective?"

I-CRT instead asks:

  • Were attacks detected?

  • Were they contained?

  • How effective were response teams?

  • Were business operations disrupted?

  • What lessons improve resilience?

The emphasis shifts from technical compromise to organizational resilience.

Cadence: Who Needs I-CRT and How Often?

OSFI currently recommends I-CRT for Canada's Systemically Important Banks (SIBs) and Internationally Active Insurance Groups (IAIGs) on a regular supervisory cycle.

Institution Type

Recommended Cadence

Systemically Important Banks (SIBs)

Every three years

Internationally Active Insurance Groups (IAIGs)

Every three years

Event-driven assessments

Following significant cyber or technology risk events

Other FRFIs

Considered on a case-by-case basis

OSFI also notes that it may adjust assessment frequency based on supervisory priorities or significant incidents. (

Benefits of Intelligence-Led Cyber Resilience Testing

Organizations that adopt intelligence-led testing can realize benefits beyond regulatory compliance.

These include:

Realistic Attack Simulation

Testing reflects actual adversary behavior rather than theoretical attack paths.

Better Executive Decision-Making

Leadership gains visibility into operational risk rather than isolated technical findings.

Improved Detection Capabilities

Organizations validate whether existing monitoring identifies sophisticated attacks.

Stronger Incident Response

Security teams practice responding to realistic scenarios involving critical business functions.

Prioritized Remediation

Threat intelligence helps prioritize remediation based on business impact instead of vulnerability severity alone.

Preparing for an I-CRT Assessment

Organizations should begin preparation well before a formal assessment.

Key preparation activities include:

Identify Critical Business Functions

Map technology assets to business services.

Review Detection Capabilities

Assess the effectiveness of:

Validate Incident Response

Ensure response plans align with realistic attack scenarios.

Inventory External Exposure

Maintain visibility into internet-facing assets and third-party dependencies.

Strengthen Governance

Executive sponsorship and cross-functional coordination are critical to successful assessments.

Common Challenges Organizations Face With Intelligence-Led Testing

Many institutions encounter similar obstacles when implementing intelligence-led testing.

Common challenges include:

Challenge

Potential Impact

Incomplete asset inventories

Critical systems overlooked

Limited threat intelligence integration

Unrealistic testing scenarios

Weak executive involvement

Delayed decision-making

Poor documentation

Inefficient assessment execution

Immature detection capabilities

Missed attack activity

Third-party visibility gaps

Increased operational risk

Addressing these issues before an assessment improves outcomes and reduces disruption.

How I-CRT Supports Operational Resilience

Operational resilience has become a strategic priority across the global financial sector.

Unlike traditional cybersecurity programs that focus primarily on prevention, operational resilience assumes successful attacks will occur and emphasizes the organization's ability to continue delivering critical services.

I-CRT supports this objective by validating:

  • Prevention controls

  • Detection capabilities

  • Incident response

  • Recovery processes

  • Cross-functional coordination

  • Executive decision-making

The result is a more comprehensive understanding of cyber resilience.

Best Practices for Success

Organizations preparing for I-CRT should consider the following best practices:

  • Establish executive sponsorship early.

  • Maintain an up-to-date inventory of critical business functions.

  • Integrate commercial threat intelligence into security operations.

  • Conduct regular red team exercises between formal assessments.

  • Review third-party and supply chain risks.

  • Continuously improve detection engineering.

  • Track remediation through to completion.

  • Align testing with broader operational resilience initiatives.

Treating I-CRT as a continuous improvement program rather than a one-time exercise will deliver greater long-term value.

Conclusion

OSFI's Intelligence-Led Cyber Resilience Testing (I-CRT) Framework represents a significant evolution in how cyber resilience is assessed within Canada's federally regulated financial sector. By combining targeted threat intelligence, independent red team testing, regulatory oversight, and a focus on Critical Business Functions, the framework moves beyond traditional penetration testing to measure an organization's ability to withstand realistic cyber attacks.

For Systemically Important Banks, Internationally Active Insurance Groups, and other FRFIs, I-CRT offers more than a compliance exercise—it provides actionable insights into operational resilience, detection capabilities, governance, and incident response. The emphasis on realistic threat scenarios and continuous improvement reflects the changing nature of today's threat landscape, where sophisticated adversaries target business operations rather than isolated technical vulnerabilities.

Organizations that prepare early by strengthening governance, improving asset visibility, integrating threat intelligence, and regularly validating their cyber defenses will be better positioned to meet OSFI's expectations while enhancing their overall resilience against modern cyber threats.

As regulatory scrutiny and cyber risk continue to grow, intelligence-led cyber resilience testing is likely to become an increasingly important component of cybersecurity programs across Canada's financial services industry.

Contact Us

Join our newsletter

Packetlabs Company Logo
  • Toronto | HQ401 Bay Street, Suite 1600
    Toronto, Ontario, Canada
    M5H 2Y4
  • San Francisco | Outpost580 California Street, 12th floor
    San Francisco, CA, USA
    94104
  • Calgary | Outpost421 - 7th Ave SW, Suite 3000
    Calgary AB, Canada
    T2P 4K9
  • Australia | OutpostPacketlabs Pty Ltd.
    ABN 14 691 178 542
    Level 24, 1 O'Connell St
    Sydney NSW 2000
Cyber Right NowCREST LogoCREST AI Signatory AICPA SOC 2 LogoG2Clutch 2023 Certification Logo