How to Pass an OSFI B-10 Vendor Risk Assessment for Your CMS

What OSFI B-10 Actually Requires of Your CMS Vendor

B-10 applies to virtually all third-party arrangements, not just outsourcing of core business functions. If your CMS stores, processes, or delivers content that touches regulated customer communications, it falls within scope.

The key requirements your vendor needs to meet:

Audit rights. Your organization and OSFI must have the contractual right to audit the vendor's operations related to the service. Your legal team will look for this clause in the contract. If it isn't there, the deal stalls.

Data ownership and portability. B-10 explicitly flags cloud portability as a risk mitigation requirement. Your vendor must be able to return your content in a standard, exportable format if you terminate the contract. Vendors who lock content into proprietary systems create concentration risk.

Incident reporting. Your vendor must commit to notifying you within a defined window of any security breach. The standard expectation is 24 hours for a material incident.

Subprocessor disclosure. Every third party your CMS vendor relies on (cloud hosting, CDN, analytics, support tools) must be disclosed and approved. If your vendor can't tell you who their subprocessors are, your third-party risk team will flag it immediately.

Exit assistance. B-10 requires that vendors support data transition if you leave. Make sure the contract addresses this explicitly.

What Your Security Team Will Ask For

Your CISO and information security team will conduct their own assessment separately from the B-10 compliance review. Expect them to ask for:

• SOC 2 Type II report (current audit year, clean opinion)
• ISO 27001 certificate or equivalent
• Third-party penetration test results
• Security architecture and data flow diagram
• Encryption standards at rest and in transit
• Access control and SSO/SAML documentation
• Incident response policy and breach notification SLA
• Subprocessor list with their own compliance certifications

The vendors that get through this quickly are the ones who provide all of this upfront, without being asked twice. Vendors who respond with "that's on our roadmap" or take weeks to produce documentation get deprioritized or eliminated.

What Your Privacy Team Will Ask For

Your privacy officer or data protection officer will focus specifically on where data is stored and who can access it.

For Canadian insurers, the question of data residency is non-negotiable. Conservative interpretations of PIPEDA and Quebec's Law 25 mean your content data — including any metadata or analytics tied to customer behaviour — should stay within Canadian borders. Your privacy team will want:

• Confirmation of Canadian data center hosting (not just "configurable on request")
• A data processing agreement aligned to PIPEDA and provincial requirements
• Documentation of how data subject access requests are handled
• Confirmation that vendor support staff cannot access your production data without your permission

What Your Legal Team Will Ask For

Your legal team will redline the vendor contract looking for liability caps, indemnification terms, IP ownership, and the B-10 required provisions. The items that cause the most friction:

• Liability caps that are too low relative to the contract value
• No termination-for-convenience clause
• Ambiguous data ownership language
• Missing OSFI audit rights clause

Vendors who show up with a contract template that already includes these provisions save your legal team weeks of back-and-forth. Vendors who don't know what OSFI B-10 is create months of delay.

How Agility CMS Is Ready Before the Assessment Starts

Agility CMS maintains SOC 2 Type II certification with an annual audit and a clean opinion. Our full security documentation — including penetration test results, security questionnaires, and architecture diagrams — is available through our Trust Center at trust.agilitycms.com without a special request or a meeting.

Our standard contract already includes OSFI B-10 required provisions: audit rights for your organization and OSFI, subprocessor disclosure, 24-hour breach notification, data portability on termination, and exit assistance terms. Your legal team won't need to negotiate these from scratch.

We're hosted on Azure Canada Central in Toronto. Canadian data residency is in the contract, not just in our marketing.

And because we've been through this process with other Canadian insurers and financial institutions already, we know what your teams will ask for. We come prepared.

If you want to see our security documentation before booking a demo, you can access it directly at trust.agilitycms.com. If you'd rather speak with another Canadian insurer who's already completed their B-10 vendor assessment for Agility CMS, we can arrange that instead.

Book a Demo | Visit the Trust Center