The OSFI I-CRT Framework

Canada’s federally regulated financial institutions (FRFIs) sit in a uniquely high-stakes threat environment. A single cyber incident can disrupt a Critical Business Function (CBF), potentially impacting consumers, market participants, and even the stability of the broader financial sector.

OSFI has been clear that managing cyber risk is fundamental to resilience, and one way it’s pushing the sector forward is through Intelligence-led Cyber Resilience Testing (I-CRT). I-CRT is not “just another penetration test": it’s a regulatory-led, controlled, bespoke assessment that uses targeted threat intelligence and realistic attacker behavior to evaluate whether an organization can prevent, detect, respond to, and recover from sophisticated cyberattacks against live, in-scope CBFs.

The Definition of I-CRT

OSFI describes I-CRT as a “how-to” guide for conducting I-CRT assessments. It explicitly notes that it's not a policy instrument that sets regulatory expectations. Instead, it’s a supervisory tool designed to help institutions and OSFI collaborate on identifying realistic threats and the remediation actions needed to improve cyber resilience.

At its core, I-CRT pairs:

• Targeted threat intelligence to ensure scenarios are relevant and timely, and

• Ethical hacking and Red Team execution to simulate the tactics, techniques, and procedures (TTPs) of sophisticated actors.

This combination is the “intelligence-led” difference. Traditional penetration tests often focus on finding vulnerabilities; Red Team exercises may test detection and response. I-CRT goes further by deliberately anchoring the exercise in realistic adversary intent and capability, then proceeding to measure resilience outcomes against the CBFs that matter most.

What is the Scope of I-CRT?

While OSFI notes that I-CRT concepts broadly apply to all FRFIs, the current scope of the framework applies to:

• Systemically Important Banks (SIBs) and

• Internationally Active Insurance Groups (IAIGs)

OSFI provides an assessment cadence: for SIBs and IAIGs, I-CRT is expected on a three-year supervisory cycle, with event-driven assessments possible based on risk signals or major incidents.

Other FRFIs may request I-CRT and OSFI will evaluate on a case-by-case basis.

Governance: a Distinctive I-CRT Feature

A distinctive feature of I-CRT is that the FRFI remains in control of risk, especially during invasive Red Team activity.

OSFI’s framework lays out a governance model with clearly defined roles, including:

• the FRFI Control Group (CG),

• a Control Group Coordinator (CGC),

• OSFI (as regulator providing oversight),

• a Threat Intelligence Provider (TIP), and

• a Red Team Provider (RTP)

The Control Group is central: it owns end-to-end project management, risk management, contracting, scoping, and remediation, and it must keep membership tight under a “need to know” principle.

I-CRT is designed to test real detection and response capability. If the Blue Team knows a test is happening, you can’t reliably measure whether your monitoring, escalation paths, and operations actually work under surprise conditions.

That’s why OSFI emphasizes strict operational secrecy and “need to know” access, including use of a project code name and a Traffic Light Protocol approach for sharing project information.

The Phases of an I-CRT Assessment

OSFI structures I-CRT into four phases with indicative timelines (which should be scaled to scope and complexity):

• Initiation (six-to-eight weeks)

• Threat Intelligence (six-to-ten weeks)

• Execution (eight-to-twelve weeks)

• Closure (four-to-six weeks)

1) Initiation: This is where OSFI formally engages the FRFI, the scope is established, and service providers are selected and onboarded. Procurement can be a gating factor, so this phase is often about building the control framework: governance, communications rules, and initial risk assessment.

2) Threat Intelligence: The TIP develops the threat intelligence outputs that drive the rest of the program. OSFI stresses that the intelligence must be targeted and actionable: more than “a dark web search.” This is where the exercise’s credibility is built: the scenarios must reflect how real actors would pursue outcomes that matter to the institution’s CBFs.

3) Execution: The RTP conducts the Red Team activity against in-scope assets supporting the CBFs, using the threat intelligence report to build and execute the plan. OSFI highlights that the highest risk of disruption occurs during execution, and the Control Group must be able to pause/stop activity if needed. OSFI also notes it may inform the Canadian Centre for Cyber Security for awareness ahead of execution.

4) Closure: he value of I-CRT comes from translating findings into a remediation plan and tracking it to completion through normal supervisory mechanisms. OSFI reviews findings and remediation plans and can issue a recommendations letter, then monitor closure through its supervision processes.

How I-CRT Compares to Other Global Frameworks

Although I-CRT is a “how-to” tool rather than a formal expectations document, it aligns closely with OSFI’s broader Technology and Cyber Risk Management guideline, which is organized around governance, technology operations/resilience, and cybersecurity outcomes.

Practically, I-CRT can be seen as a high-fidelity way to validate whether an institution’s controls and operating model actually produce the outcomes OSFI expects: clear accountability, resilient technology operations, and a secure posture that protects confidentiality, integrity, and availability.

In comparison to other global frameworks, I-CRT sits in a growing family of regulator-supported, threat intelligence-led testing frameworks globally. For example, the Bank of England’s CBEST similarly positions threat intelligence-led testing as a targeted assessment to identify vulnerabilities and drive remedial action, strengthening resilience at both firm and system levels.

This global convergence matters for multi-jurisdictional firms: OSFI explicitly acknowledges cross-border operations and notes it will work with FRFIs to avoid overlap with similar assessments in other jurisdictions.

OSFI's I-CRT Framework: Takeaways for Security Leaders

If you’re preparing for (or designing) an I-CRT-style assessment, experts recommend to focus on the following concepts:

• Start with CBF clarity. If your CBF mapping is weak, your test will be noisy and your remediation plan will be misaligned.

• Treat operational secrecy as a control, not a preference. It is foundational to measurement integrity.

• Invest in the Control Group. Authority, decision speed, escalation paths, and risk ownership determine whether execution stays safe and meaningful.

• Make remediation measurable. Closure should create a prioritized plan linked to business objectives and risk appetite, not a long list of technical findings.

Conclusion

OSFI’s I-CRT framework raises the bar from “can we find vulnerabilities?” to “can we withstand a real attack on what matters most?” It’s a structured, intelligence-led approach that tests cyber resilience under realistic conditions, all while ensuring governance and risk controls keep the institution safe during the exercise.

Prep for I-CRT testing today.