BCFSA

BCFSA Cybersecurity Compliance
BC Financial Services Authority

BCFSA regulates BC credit unions, insurance companies, pension plans, mortgage brokers, and financial planners. BCFSA's technology risk expectations include cybersecurity controls that ThreeShield assesses and monitors through Lavawall®.

Book Assessment See Engagement Options →

BCFSA Technology Risk Expectations

BCFSA's supervisory framework includes technology risk as a key risk category. Regulated entities are expected to have governance, controls, and resilience practices proportionate to their size and risk profile.

Technology Risk Governance

Board oversight of technology risk. Chief Risk Officer or equivalent responsibility for cyber risk. Annual technology risk assessment reported to senior management.

Cyber Resilience

Business continuity and disaster recovery plans covering cyber incidents. Tested recovery procedures. RTO/RPO targets for critical systems documented and validated.

Information Security Controls

Access management, MFA, encryption, vulnerability management, and security monitoring proportionate to the sensitivity of member/client data held.

Third-Party Technology Risk

Due diligence on critical technology vendors and cloud service providers. Contractual security requirements and exit strategies.

BC Credit Unions BC Insurance Companies Mortgage Brokers (BC) Financial Planners (BC) Pension Plans (BC)

Frequently Asked Questions

BC credit unions are provincially regulated by BCFSA, not federally by OSFI. While OSFI's B-13 guideline (technology and cyber risk management) applies to federally regulated banks and insurers, BCFSA has its own supervisory framework for provincially regulated entities. ThreeShield navigates both regulatory environments.

Yes - BC credit unions handling personal information in commercial activities face PIPEDA obligations in addition to BCFSA expectations. BC's Personal Information Protection Act (PIPA) may also apply. ThreeShield assesses compliance with all three simultaneously.

Get a BCFSA Technology Risk Assessment

ThreeShield evaluates your technology risk controls against BCFSA expectations and delivers board-ready findings.

Book a Scoping Call

DIY · Supported · Done-for-You · All engagement models available

Three Ways to Engage - From DIY to Done-for-You

Whether you have a strong internal team or need everything handled end-to-end, ThreeShield meets you where you are.

Self-Serve

DIY via Lavawall®

For lean IT teams and cost-conscious organizations with internal security capacity

  • Lavawall® platform access with GRC module
  • Automated evidence collection against BCFSA
  • Live compliance score dashboard
  • Policy and procedure template library
  • Self-guided remediation workflows
  • AI-generated compliance status reports
Start with Lavawall®
Recommended for MSPs & Lean IT

Supported

For MSPs, IT teams with some security resources, and organizations that need expert guidance but retain internal capacity

  • Everything in DIY tier
  • CISSP/CISA-guided gap assessment
  • Prioritized remediation roadmap
  • Policy and procedure development support
  • Quarterly compliance review calls
  • Tier 3 escalation for complex issues
  • MSP white-label available
Get Supported Engagement
Fully Managed

Done-for-You

For organizations that want full compliance delivery without managing the process internally

  • Everything in Supported tier
  • ThreeShield manages the full compliance program
  • CISSP/CISA-executed formal assessment or audit
  • findings methodology (typically 200+ findings)
  • Complete policy and procedure creation
  • Audit-ready evidence packages
  • Annual reassessment included
Book Done-for-You Assessment