En raison de la grève de Postes Canada, il y aura un délai dans la livraison des livres.

FREE Membership Sign in

JavaScript is disabled in your browser.

In order visualise this page, please follow these steps.

Ontario regulator publishes technology risk management guidance

By Kate McCaffery | Nov. 9, 2023, 10:55 a.m.

Photo: Adobe Stock

The Financial Services Regulatory Authority of Ontario (FSRA) is taking steps to address information technology (IT) risks, including but not limited to cyberthreats, in a new guidance document spelling out how the regulator interprets applicable regulations and how it will approach compliance oversight of its regulated entities.

The final Information Technology (IT) Risk Management Guidance “will help FSRA-regulated sectors and individuals effectively manage threats to their IT systems, infrastructure and data,” FSRA states in an announcement about the new guidance’s publication. “The guidance describes practices and desired outcomes for regulated entities and individuals but does not prescribe how to achieve them,” the guidance continues.

For each of its regulated sectors, including credentialling bodies, health service providers, insurance agents and agencies, pension administrators and insurance companies, the document outlines seven practices for effective IT management, a process for notifying the regulator when an incident is material (interestingly, it is the regulated entity themselves who must determine if the breach is material – the regulator provides evaluation criteria), and sector-specific requirements.

Among the sector specific requirements for incorporated insurance companies, agents, adjusters and agencies, for example, FSRA says it considers insurers to ultimately be responsible for the fair treatment of customers. “This includes ensuring that IT risks are being effectively managed through all of its distribution channels and outsourced functions related to the conduct of insurance business,” they state, adding that this does not absolve intermediaries of their own responsibilities, as well.

“FSRA defines IT risk as the risk of financial loss, operational disruption or damage, or reputational loss resulting from the inadequacy, disruption, destruction, failure or damage by any means to a regulated entity or individual’s IT systems, infrastructure and data,” the guidance states. “IT risk encompasses, but is not limited to cyber risk. While cyber risk is specifically related to deliberate or accidental breaches of security, IT risk also includes any risk extending from the use of IT (e.g., aging digital infrastructure). IT risk represents a significant and growing threat to the businesses, operations and to the stability of FSRA’s regulated sectors,” they add. “FSRA’s focus on IT risk is consistent with FSRA’s statutory objects.”

The most popular in Society

iA Financial Group’s net income rises 22% in 2024