
Over 42,000 CRA Accounts Breached: What to Know
More than 42,000 Canadian taxpayer accounts have been breached since 2020. Learn more about the data breach class-action lawsuit involving CRA accounts.
May 20, 2026 - Blog
Authored By Packetlabs

Cyber threats against financial institutions continue to increase in sophistication, frequency, and business impact. Traditional penetration testing remains an important component of cybersecurity programs, but regulators increasingly recognize that point-in-time testing alone cannot accurately measure an organization's ability to withstand modern, intelligence-driven attacks.
To address this challenge, the Office of the Superintendent of Financial Institutions (OSFI) introduced the Intelligence-Led Cyber Resilience Testing (I-CRT) Framework. Rather than focusing solely on identifying technical vulnerabilities, I-CRT evaluates whether a federally regulated financial institution (FRFI) can prevent, detect, respond to, and recover from realistic attacks targeting its most critical business functions.
For Canadian banks, insurers, and other regulated financial organizations, understanding the I-CRT framework is becoming increasingly important.
This guide explains what the I-CRT framework is, how it differs from traditional penetration testing, and what organizations should do to prepare.
OSFI's Intelligence-Led Cyber Resilience Testing (I-CRT) Framework is a regulatory-led methodology designed to assess the cyber resilience of federally regulated financial institutions using realistic threat intelligence and controlled red team exercises.
Unlike conventional penetration tests that focus primarily on finding technical vulnerabilities, I-CRT combines:
Commercial threat intelligence
Advanced red team operations
Regulatory oversight
Risk management
Executive governance
Critical business function testing
The goal is to evaluate how effectively an organization can withstand sophisticated cyberattacks that mirror real-world adversaries targeting Canada's financial sector.
The financial services industry remains one of the most targeted sectors globally.
Threat actors include:
Nation-state groups
Organized cybercriminals
Ransomware operators
Financially motivated attackers
Insider threats
Traditional security testing often identifies individual vulnerabilities but may not demonstrate how attackers could chain multiple weaknesses together to disrupt critical operations.
OSFI developed the I-CRT framework to:
Improve sector-wide cyber resilience
Test real-world attack scenarios
Validate security controls
Identify operational weaknesses
Strengthen incident response capabilities
Protect financial stability
Rather than asking, "Can this server be compromised?" I-CRT asks, "Could a sophisticated adversary disrupt this critical business function?"
One of the defining characteristics of I-CRT is its focus on Critical Business Functions (CBFs).
OSFI defines CBFs as the people, processes, and technology required to deliver critical operations that, if disrupted, could materially affect an institution's resilience, customers, safety, soundness, or market conduct.
Examples include:
Payment processing
Online banking
Treasury operations
Claims processing
Trading systems
Customer authentication
Core insurance platforms
Rather than testing every asset equally, I-CRT prioritizes systems supporting these essential services.
One of the most valuable aspects of OSFI's guidance is its clear distinction between three common security testing approaches.
Feature | Traditional Penetration Testing | Red Team Exercise | Intelligence-Led Cyber Resilience Testing (I-CRT) |
Primary Objective | Identify vulnerabilities | Simulate realistic attackers | Validate cyber resilience against real threat intelligence |
Scope | Technology-focused | People, Process, Technology | Critical Business Functions (CBFs) across People, Process, and Technology |
Threat Intelligence | Limited | General attacker emulation | Targeted intelligence based on realistic threats |
Focus | Technical weaknesses | Security control effectiveness | Operational resilience |
Regulatory Oversight | No | Usually no | Yes (OSFI oversight) |
Deliverables | Vulnerability report | Attack narrative and findings | Resilience assessment and remediation roadmap |
As sophistication increases, the assessment becomes less about finding isolated vulnerabilities and more about evaluating whether the organization can withstand genuine attack scenarios.
Threat intelligence sits at the heart of the I-CRT methodology.
Rather than relying on generic attack techniques, intelligence providers develop tailored scenarios based on:
The institution's infrastructure
Industry threats
Current attacker tactics, techniques, and procedures (TTPs)
Nation-state activity
Organized cybercrime
Financial sector targeting
This intelligence is then used to inform the red team's actions.
The result is a highly realistic assessment based on how sophisticated adversaries would target the institution today.
Successful I-CRT engagements require coordination between multiple independent parties.
Stakeholder | Primary Responsibility |
FRFI Control Group | Overall governance, risk management, coordination |
OSFI | Oversight, supervision, review of findings |
Threat Intelligence Provider (TIP) | Develop targeted threat intelligence |
Red Team Provider (RTP) | Execute intelligence-driven attack simulations |
Senior Executive Sponsor | Organizational accountability and strategic oversight |
This separation of responsibilities ensures objectivity while maintaining regulatory confidence in the testing process.
OSFI divides an I-CRT engagement into four primary phases.
Phase | Typical Duration | Primary Activities |
Initiation | 6 - 8 weeks | Scoping, governance, procurement, planning |
Threat Intelligence | 6- 10 weeks | Threat actor profiling, scenario development, target analysis |
Execution | 8 - 12 weeks | Red team assessment, attack simulation, resilience testing |
Closure | 4 - 6 weeks | Reporting, remediation planning, executive review |
Risk management is expected throughout every phase to ensure testing is conducted safely and without unacceptable operational disruption.
Many organizations assume I-CRT is simply another red team exercise.
It is considerably broader.
Traditional red teams primarily answer:
"Can we reach the objective?"
I-CRT instead asks:
Were attacks detected?
Were they contained?
How effective were response teams?
Were business operations disrupted?
What lessons improve resilience?
The emphasis shifts from technical compromise to organizational resilience.
OSFI currently recommends I-CRT for Canada's Systemically Important Banks (SIBs) and Internationally Active Insurance Groups (IAIGs) on a regular supervisory cycle.
Institution Type | Recommended Cadence |
Systemically Important Banks (SIBs) | Every three years |
Internationally Active Insurance Groups (IAIGs) | Every three years |
Event-driven assessments | Following significant cyber or technology risk events |
Other FRFIs | Considered on a case-by-case basis |
OSFI also notes that it may adjust assessment frequency based on supervisory priorities or significant incidents. (
Organizations that adopt intelligence-led testing can realize benefits beyond regulatory compliance.
These include:
Testing reflects actual adversary behavior rather than theoretical attack paths.
Leadership gains visibility into operational risk rather than isolated technical findings.
Organizations validate whether existing monitoring identifies sophisticated attacks.
Security teams practice responding to realistic scenarios involving critical business functions.
Threat intelligence helps prioritize remediation based on business impact instead of vulnerability severity alone.
Organizations should begin preparation well before a formal assessment.
Key preparation activities include:
Map technology assets to business services.
Assess the effectiveness of:
SIEM platforms
Security Operations Centers (SOC)
Network monitoring
Threat detection rules
Ensure response plans align with realistic attack scenarios.
Maintain visibility into internet-facing assets and third-party dependencies.
Executive sponsorship and cross-functional coordination are critical to successful assessments.
Many institutions encounter similar obstacles when implementing intelligence-led testing.
Common challenges include:
Challenge | Potential Impact |
Incomplete asset inventories | Critical systems overlooked |
Limited threat intelligence integration | Unrealistic testing scenarios |
Weak executive involvement | Delayed decision-making |
Poor documentation | Inefficient assessment execution |
Immature detection capabilities | Missed attack activity |
Third-party visibility gaps | Increased operational risk |
Addressing these issues before an assessment improves outcomes and reduces disruption.
Operational resilience has become a strategic priority across the global financial sector.
Unlike traditional cybersecurity programs that focus primarily on prevention, operational resilience assumes successful attacks will occur and emphasizes the organization's ability to continue delivering critical services.
I-CRT supports this objective by validating:
Prevention controls
Detection capabilities
Incident response
Recovery processes
Cross-functional coordination
Executive decision-making
The result is a more comprehensive understanding of cyber resilience.
Organizations preparing for I-CRT should consider the following best practices:
Establish executive sponsorship early.
Maintain an up-to-date inventory of critical business functions.
Integrate commercial threat intelligence into security operations.
Conduct regular red team exercises between formal assessments.
Review third-party and supply chain risks.
Continuously improve detection engineering.
Track remediation through to completion.
Align testing with broader operational resilience initiatives.
Treating I-CRT as a continuous improvement program rather than a one-time exercise will deliver greater long-term value.
OSFI's Intelligence-Led Cyber Resilience Testing (I-CRT) Framework represents a significant evolution in how cyber resilience is assessed within Canada's federally regulated financial sector. By combining targeted threat intelligence, independent red team testing, regulatory oversight, and a focus on Critical Business Functions, the framework moves beyond traditional penetration testing to measure an organization's ability to withstand realistic cyber attacks.
For Systemically Important Banks, Internationally Active Insurance Groups, and other FRFIs, I-CRT offers more than a compliance exercise—it provides actionable insights into operational resilience, detection capabilities, governance, and incident response. The emphasis on realistic threat scenarios and continuous improvement reflects the changing nature of today's threat landscape, where sophisticated adversaries target business operations rather than isolated technical vulnerabilities.
Organizations that prepare early by strengthening governance, improving asset visibility, integrating threat intelligence, and regularly validating their cyber defenses will be better positioned to meet OSFI's expectations while enhancing their overall resilience against modern cyber threats.
As regulatory scrutiny and cyber risk continue to grow, intelligence-led cyber resilience testing is likely to become an increasingly important component of cybersecurity programs across Canada's financial services industry.