The Financial Services Regulatory Authority of Ontario (FSRA) published proposed guidance on IT risk management (the Guidance) for consultation. The Guidance is intended to help FSRA regulated sectors and individuals effectively manage a threat to their IT systems, infrastructure and data.

The Guidance includes a segment applicable to all entities and individuals regulated by FSRA that sets out information about existing regulatory requirements, practices for effective IT risk management and a process for regulated entities and individuals to notify FSRA in the event of a material IT risk incident. The Guidance also includes sector-specific content that provides additional guidance and interpretations of requirements for particular sectors, including mortgage brokerages. The Guidance provides a principles-based approach that offers regulated entities and individuals the flexibility to achieve the outcomes in a manner that is suitable for the size and nature of their business.

The Guidance outlines the following seven practices to effectively manage IT risk and sets out the criteria FSRA will use to assess compliance with each practice:

  1. Governance – proper governance and oversight of IT risk
  2. Risk Management – policies and procedures in place to manage IT risk
  3. Data Management – strategies to manage and secure confidential data
  4. Outsourcing – controls in place to effectively manage risks related to outsourcing
  5. Incident Preparedness – processes in place to detect, manage, resolve and recover from an IT incident
  6. Continuity and Resiliency – ensure the continuity of IT assets to enable delivery of services following an incident
  7. Notification of Material IT Risk Incidents – notification to regulator(s) in the event of a material IT risk incident

The consultation period is open until March 31, 2023.

January 31, 2023