⚠ OSFI B-10 is in force. B-13 requires full attestation. Is your institution examination-ready?

Alberta HQ  ·  Serving FRFIs Across Canada

Compliance Confidence
for Federally Regulated
Financial Institutions.

Aegis Intel Advisory delivers institutional-grade OSFI B-10 & B-13 expertise — and the fractional CISO leadership your institution needs — without Big 4 costs or Big 4 timelines.

Request Executive Brief Understand the Risk
B-10
Third-Party Risk — In Force
B-13
Technology & Cyber — Full Compliance
100%
Canadian Data Residency Guaranteed
4D
Integrated Advisory Framework
The Compliance Mandate

Most regional banks are managing
B-10 and B-13 in silos. OSFI is not.

OSFI examiners are connecting the dots between your third-party risk program and your cyber controls — and institutions without an integrated view are the ones receiving findings.

The Silos Problem

Procurement manages vendors. IT manages firewalls. Risk audits both. No one owns the intersection — which is exactly where your highest-consequence exposures live.

The Governance Gap

B-13 requires a qualified CISO with Board access and quarterly reporting. For institutions under $10B, this means either a costly hire or a critical vacancy that examiners will flag.

The Timing Pressure

Both guidelines are in force. OSFI supervisory reviews are active. Fixed-price compliance guarantee and rapid engagement timelines are not a luxury — they are a business necessity.

"If your B-10 team isn't talking to your B-13 team, you have a blind spot large enough for OSFI to notice."

— Aegis Intel Advisory
Two Guidelines. One Risk Continuum.

B-10 and B-13 are two sides
of the same coin.

The regulatory reality: a cyber breach at a third party is your B-13 problem. A breach of your own systems affects your B-10 vendors. OSFI expects you to manage the entire continuum — not half of it.

B-10 — Third-Party Risk

Vendor Risk

Effective May 2024

Manages the risk entering your institution through your vendor and third-party ecosystem. Every cloud provider, outsourced function, and technology partner carries risk that becomes your regulatory obligation.

  • Criticality assessment & vendor tiering
  • Contractual audit rights & cyber clauses
  • Concentration risk management
  • Fourth-party (subcontractor) risk
  • Vendor exit planning
B-13 — Technology & Cyber Risk

Cyber Resilience

Currently In Force

Manages the risk within your own technology environment — systems, infrastructure, cyber defences. Requires Board accountability, a qualified CISO, and demonstrated resilience from the inside out.

  • CISO mandate & Board reporting
  • Annual penetration testing
  • 24-hour OSFI breach notification
  • Cyber Risk Appetite statement
  • Business continuity & DRP
The Intersection

Cyber due diligence on vendors. Right to audit vendor controls. Supply chain cyber attacks. Integrated resilience testing. 24-hour breach reporting across your entire ecosystem. This is where OSFI is focusing its supervisory efforts — and where most institutions have unresolved gaps.

Our Methodology

The Integrated 4D Framework

A dual-lens approach that addresses B-10 and B-13 simultaneously — through the Sovereign Bridge™ Methodology, with 100% Canadian data residency at every stage.

D1
Discover
Internal & External Inventory
Asset & Relationship Mapping

Inventory all technology assets (B-13) and all third-party relationships (B-10). Identify Shadow IT and Shadow Vendors. Nothing hidden.

Outcome

Complete map of your technology risk surface.

D2
Diagnose
Cyber & Concentration Risk
Gap & Vulnerability Analysis

Assess internal cyber controls (B-13) and vendor cyber posture & concentration risk (B-10). Prioritize combined vulnerabilities before OSFI finds them.

Outcome

Prioritized view of your biggest combined exposures.

D3
Design
Controls & Contracts
Remediation & Policy Alignment

Remediate vendor contracts to include B-13 cyber requirements. Align vendor controls with your internal standards. Build a unified, defensible control environment.

Outcome

A defensible, unified control environment.

D4
Drive
Continuous Monitoring
Ongoing Resilience Operations

Implement continuous cyber monitoring for internal systems and critical vendors. Integrated KRI reporting. Board-level visibility into your total resilience posture.

Outcome

Real-time resilience and Board-level visibility.

What We Deliver

Compliance as the entry point.
vCISO partnership as the destination.

We lead with the immediate pressure — OSFI examination timing and documented findings — then evolve into the ongoing institutional CISO partnership your governance framework demands.

Entry Point

OSFI Compliance Advisory

Fixed-price, deadline-driven B-10 and B-13 compliance engagements built for institutions under examination pressure. Delivered via the Integrated 4D Framework with guaranteed data residency.

  • B-10 Vendor Risk Program Design & Remediation
  • B-13 Technology & Cyber Risk Gap Assessment
  • Integrated 4D Framework Engagement (Weeks 1–16)
  • OSFI Examination Preparation & Evidence Package
  • Board Reporting Framework & Risk Appetite Statement
  • Fixed-price with compliance milestone guarantee
Ongoing Retainer

Fractional CISO (vCISO)

Your institutional CISO partner — without the full-time cost. Embedded advisory, Board access, and continuous OSFI alignment for institutions that need senior cyber leadership but aren't ready for a full hire.

  • Dedicated fractional CISO with Board access
  • Quarterly Board cyber risk reporting
  • Ongoing B-10 vendor oversight program
  • Continuous B-13 control monitoring & gap closure
  • 24-hour incident response guidance & OSFI notification
  • Annual penetration test management & review
Diagnostic

Integrated Resilience Diagnostic

A half-day workshop with your leadership team (Risk, IT, Procurement) to map your current B-10 and B-13 programs, identify the top five intersection risks, and produce a prioritized roadmap and business case.

  • Current-state B-10 & B-13 program mapping
  • Top 5 "Intersection Risks" identification
  • Prioritized remediation roadmap
  • Business case for an integrated program
Specialized

Cyber Due Diligence & Contracts

For institutions whose vendor contracts still say "the vendor must be secure" without defining what that means to OSFI. We embed specific B-13-aligned requirements and validate vendor cyber posture independently.

  • B-13-aligned contract language modernization
  • Vendor cyber controls assessment (beyond SOC reports)
  • Fourth-party (subcontractor) cyber risk mapping
  • CIS controls adherence validation
Our Differentiation

The missing middle between a generic
vCISO firm and a Big 4 engagement.

Regional banks and FRFIs between $500M and $10B need institutional-grade OSFI expertise — not a commodity checklist, and not a six-figure Big 4 retainer.

True OSFI Specialization

We understand how OSFI supervisors connect B-10 findings to B-13 expectations. Our frameworks are built for what OSFI actually examines — not just what the guidelines say. We have been in the room during supervisory reviews.

Integrated, Not Siloed

No handoffs between a "compliance team" and a "technical team." We treat B-10 and B-13 as interlocking obligations demanding a unified response — the Integrated 4D Framework is how we execute that in practice.

🇨🇦

Canadian Data Sovereignty

The Sovereign Bridge™ Methodology guarantees 100% Canadian data residency at every stage of engagement. No data egress. Managed through Alberta business operations and Canadian-territory infrastructure.

Pragmatic & Implementation-Ready

We don't just tell you to "integrate your risk programs." We deliver playbooks, governance structures, unified RACIs, and Board-ready materials from day one. Scalable for $500M credit unions and $5B regional banks alike.

Fixed-Price Compliance Guarantee

Our compliance engagements come with defined scope, defined timelines, and fixed pricing. No billing surprises during your most time-sensitive regulatory window.

Institutional CISO Partnership

We position as your institutional CISO partner — not a vendor delivering a report. That means Board access, ongoing accountability, and a stake in your examination outcomes, not just your deliverable checklist.

Architecture

The Sovereign Bridge™ Methodology

Our proprietary delivery architecture ensures that world-class technical expertise is applied to your Canadian institution without any data ever leaving Canadian jurisdiction.

🌍

Technical Authority

Oluleke Olatunji (C|CISO). Former Banking CISO, CCISONFI Research Lead. Tier-1 financial security standards applied from Lagos, NG.

Sovereign Bridge™

Pixel-only stream protocol. Zero data egress from Canadian jurisdiction. Proprietary delivery architecture.

🇨🇦

Institutional Delivery

Kayode Olatunji, Managing Director (Alberta). All data remains within Canadian territorial boundaries at all times.

100% Canadian Data Residency — Guaranteed
Our Leadership

Institutional Leadership

Global technical authority delivering local regulatory accountability.

Kayode Olatunji
Kayode Olatunji
Managing Director — Alberta, Canada

Kayode leads Canadian operations from Calgary, Alberta and serves as the primary point of accountability for financial institutions across the country. He is Aegis Intel Advisory's client-facing lead for OSFI compliance and vCISO engagements, ensuring alignment with provincial business standards and federal regulatory expectations at every stage of engagement.

His mandate is institutional governance: ensuring that the client experience for banks and credit unions across Canada is seamless, transparent, and legally sound — and that advisory services integrate into each institution's governance framework with the local accountability OSFI examiners demand.

"Audit readiness is a relationship of trust. I ensure our advisory services integrate into your governance framework with the local accountability regulators demand — and that every engagement ends with your institution more resilient, not just more documented."

kayode@aegisintel.ca  ·  +1 (403) 973-4311
Oluleke Olatunji
CISSP C|CISO CCSP ISO 27001 LA
Oluleke Olatunji
Technical Director — OSFI B-10 & B-13 Architecture

Oluleke leads the technical roadmap for the Sovereign Bridge™, bringing nearly two decades of experience in high-stakes financial sector cybersecurity. He currently serves as Research Committee Lead for the Committee of CISOs of Nigerian Financial Institutions (CCISONFI), directing cross-jurisdictional regulatory research spanning CBN, OSFI, and global cyber frameworks.

As a former CISO for multiple banking institutions — including FSDH Merchant Bank and Smartcash PSB — Oluleke has directed large-scale security transformations, Open Banking governance initiatives, and regulatory alignment programs for major central banks. He holds elite certifications including CISSP, CCSP, C|CISO, and ISO 27001 Lead Auditor.

"Having operated inside the C-Suite of major financial institutions, I design our advisory architecture to satisfy the most rigorous board-level risk expectations and OSFI mandates — not just the letter of the guidelines."

oluleke@aegisintel.ca
Get Started

Request Your Executive Brief

Complete this diagnostic to receive a personalized B-10/B-13 compliance roadmap and vCISO readiness assessment within 24 hours.

1. Institutional Credentials
2. Strategic Diagnostic

1. Is your institution a Federally Regulated Financial Institution (FRFI) subject to OSFI oversight?

2. Which OSFI mandate is your highest near-term priority?

3. Does your institution currently have a qualified CISO with direct Board access?

4. How confident is your Senior Officer in signing the next B-13 attestation?

5. When is your next OSFI supervisory review or internal audit cycle?