Regulator publishes proposed guidance for managing information technology risk

The Financial Services Regulatory Authority of Ontario (FSRA) has published proposed guidance on information technology (IT) risk management for entities in the sectors it regulates, “to help the sectors and individuals it regulates effectively manage a threat to their IT systems, infrastructure and data.” 

The consultation period to address the proposed guidance and submit feedback is open until March 31, 2023. 

“Regulated entities must comply with existing requirements related to IT risk and the protection of personal information, including the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA). The guidance is appliable to all FSRA-regulated sectors,” they write. In addition to credit unions and mortgage brokering, FSRA also regulates insurance, pensions, financial planners and advisors. 

The guidance sets out seven practices including those affecting governance, risk and data management, outsourcing, incident preparedness and continuity, along with the steps required to notify the regulator in the event of a material IT risk incident. 

“The guidance describes practices and desired outcomes for regulated entities and individuals, but does not prescribe how to achieve them. This principles-based approach offers regulated entities and individuals the flexibility to achieve the outcomes in a manner that is suitable for the size and nature of their business,” FSRA writes in the guidance document. 

Broken down, the document includes information and approach guidance which do not create any compliance obligations, but also interpretation guidance which sets out FSRA’s requirements under its legislative mandate. “Non-compliance can lead to enforcement or supervisory action,” they write. 

“FSRA defines IT risk as the risk of financial loss, operational disruption or damage, or reputational loss resulting from the inadequacy, disruption, destruction, failure or damage by any means to a regulated entity or individual’s IT systems, infrastructure and data,” they continue. 

“IT risk can be external or internal to a regulated entity or individual. IT risk encompasses, but is not limited to, cyber risk. While cyber risk specifically relates to deliberate or accidental breaches of security, IT risk also includes any risk extending from the use of IT,” including aging digital infrastructure, they add.