FSRA is consulting on guidance to help the sectors and individuals it regulates effectively manage a threat to their IT systems, infrastructure and data.
IT risks, like cyber threats and aging digital infrastructure, can result in financial losses and harm to consumers.
Regulated entities must comply with existing requirements related to IT risk and the protection of personal information, including the requirements of the Personal Information Protection and Electronic Documents Act (“PIPEDA”).
This guidance is applicable to all FSRA-regulated sectors, sets out seven practices to effectively manage IT risk and the steps required to notify FSRA in the event of an IT incident.
- Governance – people in place with sufficient expertise to manage IT risk
- Risk Management – policies and procedures in place to manage IT risk
- Data Management - processes, procedures and controls in place to ensure data quality, integrity, privacy
- Outsourcing – controls in place to manage risks related to outsourcing
- Incident Preparedness – processes in place to be able to recover from an IT incident
- Continuity and Resiliency – ensure the continuity of their IT assets to enable them to deliver services following an incident
- Notification of Material IT Risk Incidents – notification to regulator(s) in the event of a material IT risk incident
The guidance also outlines content for the effective management of IT risks for the following sectors:
- Credit union
- Mortgage brokering
- Financial Planners and Financial Advisors
The consultation period is now open. FSRA invites stakeholders and the public to submit feedback until March 31, 2023.
Before we begin, please make sure you do not include any personal or private financial information. If your inquiry does require this information be shared with us, please call us at 1-800-668-0128 or email us at [email protected] for instructions.
By submitting your content, you agree to have your materials posted on our engagement portal, used in reports and other materials prepared by Financial Services Regulatory Authority of Ontario (FSRA) that may be shared with the public. Content is moderated so that all posts are respectful and professional. The Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c.F.31, applies to all online content.