Purpose of consultation:

The Information Technology (“IT”) risk management Guidance (“the guidance”) communicates:

  • ‘Practices for Effective IT Risk Management'.
  • A process for regulated entities and individuals to notify FSRA in the event of a material IT risk incident.
  • Sector-specific IT Risk Management Guidance, including interpretations of requirements for credit unions and caisses populaires (“credit unions"), Ontario-incorporated insurance companies and reciprocals (“insurers”), and pension plan administrators.

This guidance applies to all FSRA regulated entities and individuals.

This consultation asked for feedback on how FSRA can improve the guidance to better achieve its desired outcomes.

Outcome of consultation:

As a result of the consultation, the following changes have been reflected in the final version of the guidance:

  • Updated the effective date of the guidance to April 1, 2024, to allow sufficient time for regulated entities and individuals to implement any changes necessitated by this guidance
  • Updated language on the ‘Notification of material IT risk incidents’
  • Provided flexibility on how regulated entities and individuals can notify FSRA in the event of a material IT Risk incident
  • Updated the IT Risk Incident Report form
  • Updated language to better align with existing requirements and other regulators

Feedback from the sector:

FSRA received 21 submissions with feedback on the guidance during the consultation period, which went from January 23 to March 31, 2023. The submissions and comments are also available on FSRA’s website.

FSRA thanks everyone who took the time to provide thoughtful comments. FSRA carefully considered all feedback  before finalizing and issuing the guidance.

Contributors:

The following stakeholders took the time to share their perspectives with FSRA:

  1. Marvin Cajina - Advanced Mortgage Investment Corporation – AMIC
  2. Jilian Fernandez - Institute of Internal Auditors Canada – IIA
  3. Carol Normandeau - Libro Credit Union
  4. Devin Mataseje - Financial Planning Standards Council – FP Canada
  5. John Taylor - Ontario Mutual Insurance Association – OMIA
  6. Lindsay Walden - Manulife
  7. Sandra Taylor - Canadian Association of Insurance Reciprocals – CAIR
  8. Sarah Hobbs - Canadian Life and Health Insurance Association – CLHIA
  9. Kim Donaldson - Insurance Bureau of Canada – IBC
  10. Jeff Pratt - Ontario School Boards’ Insurance Exchange – OSBIE
  11. Damian Chiu - Canadian Credit Union Association – CCUA
  12. Giuseppina Marra - Desjardins Group
  13. Susan Allemang - Independent Financial Brokers of Canada – IFB
  14. Patrick Lundy - Canadian Universities Reciprocal Insurance Exchange – CURIE
  15. Sunny Sodhi - Meridian Credit Union
  16. Ric Marrero - The Association of Canadian Pension Management – ACPM
  17. Riz Ahmad - DUCA Financial Services Credit Union Ltd – DUCA
  18. Saskia Goedhart - Health Care of Ontario Pension Plan (HOOPP), Ontario Teachers’ Pension Plan (Ontario Teachers), OMERS Primary Pension Plan (OMERS), Colleges of Applied Arts and Technology Pension Plan (CAAT), and OPSEU Pension Plan Trust Fund (OPTRUST)
  19. Patrick Simon - Ontario Pension Board – OPB
  20. OBA - Ontario Bar Association – OBA
  21. Barbara Walancik & Teri Truong - TELUS Health

Feedback summary and FSRA’s responses:

Theme Stakeholders Summarized comment FSRA’s response

Implementation Timeline
  • Libro
  • Desjardins
  • ACPM
  • DUCA
  • OBA
  • TELUS Health

Some stakeholders requested a longer implementation period to allow sufficient time to implement the required changes.

Based on feedback, FSRA will delay the effectiveness of the guidance until April 1, 2024. This will allow for regulated entities and individuals to have sufficient time to implement any changes necessitated by the guidance.

Reporting Timeframe
  • CCUA
  • HOOP, OMERS, CAAT, OPTRUST
  • TELUS Health
  • DUCA

Some stakeholders expressed their concern regarding the timelines for reporting IT Risk incidents.

The IT incident reporting timeframe has been updated to “as soon as feasible, which would normally fall within the 48 to 72 hours range”. This affords the regulated entity or individual flexibility to notify FSRA at a time when it does not interfere with the response to the incident.


Credit unions and Ontario-incorporated insurance companies and reciprocals are also asked to report incidents “as soon as feasible” but with a maximum of 72 hours after the incident.
 

FSRA has expanded the ways it is willing to accept notification of IT Risk incidents to provide regulated entities and individuals more flexibility. In addition to accepting forms through the email inbox, regulated entities and individuals can use a secure portal (currently in development and will be ready for use by April 1, 2024) to upload the form and supporting documentation or contact their relationship manager directly.

Additional Clarity
  • IIA
  • Libro
  • CAIR
  • OSBIE
  • CCUA
  • Desjardins
  • CURIE
  • Meridian
  • DUCA
  • OPB
  • OBA
  • TELUS Health
  • CLHIA

Some stakeholders requested additional clarity on the use of terminology, including expanded definitions and prescribed conditions.

FSRA prefers avoiding having a set definition for what constitutes “materiality” for an IT Risk incident. This is because “materiality” will look different depending on the regulated entity or individual. This is also consistent with how other regulators in Canada have approached incident reporting.
 

The guidance instead provides a list of indicators that can help regulated entities or individuals determine if an incident is material. This way, regulated entities and individuals can determine for themselves if an incident is material, based on their size, complexity, and risk profile.
 

FSRA encourages regulated entities and individuals to contact FSRA and/or notify if there is doubt regarding materiality.
 

FSRA has provided a list of examples of incidents that may require notification in Appendix 1. FSRA does not plan to expand the list at this time as it is intended to be illustrative and not exhaustive.
 

FSRA has developed definitions on key terms based on internationally accepted standards.

Alignment with Different Guidelines or Regulators
  • ACPM
  • HOOPP, OMERS, CAAT, OPTRUST
  • OPB
  • OBA
  • TELUS Health
  • IIA
  • CLHIA
  • IBC
  • ACPM
  • CLHIA
  • Manulife
  • Desjardins

Stakeholders suggested that there are opportunities for further alignment with different pieces of guidance and/or other regulators.

 

Some stakeholders advocated for a lead regulator system, where entities can report to just one regulator.

 

Some stakeholders have asked that their regulated sector be excluded from the guidance due to existing guidance from another regulator or regulatory association.

FSRA is open to working with other regulators across Canada, where possible, to harmonize and share information to reduce the burden on regulated entities and individuals.
 

FSRA has updated the language of the guidance in some areas to better align with other regulators and existing pieces of guidance.
 

FSRA will consider and discuss with other regulators, the recommendation to develop a ‘lead regulator’ system , in addition to exploring other options that will further harmonization.
 

FSRA is not considering excluding certain regulated entities and individuals from the guidance at this time. Although existing guidance does exist in some sectors, either from a different regulator or a regulatory association, FSRA requires its own guidance in each sector to adequately supervise and regulate its sectors.

Principles-Based Approach
  • CLHIA
  • CCUA
  • Desjardins
  • ACPM
  • OPB
  • TELUS Health

Some stakeholders expressed concern that the guidance was too prescriptive in some areas (e.g., the ‘Desired Outcomes’ under the Practices for Effective IT Risk Management) and suggested that FSRA take a principles-based approach to address IT Risk.


Some stakeholders expressed a desire for more prescription. This included a recommendation for FSRA to release a guide with best practices to be followed as a minimum standard.

While some stakeholders felt that FSRA was too prescriptive in its guidance, other stakeholders asked for more prescription. FSRA has attempted to strike the appropriate balance, by providing clear expectations on outcomes while avoiding prescribing how regulated entities and individuals should achieve them.


FSRA has taken a principles-based and outcomes-focused approach to developing the guidance. Throughout the guidance, FSRA stresses proportionality and the expectation that each regulated entity or individual approach the management of IT risk in accordance with their size, complexity and risk profile.

Non-Ontario Incorporated Insurance Companies
  • CLHIA

A stakeholder suggested excluding non-Ontario Incorporated Insurance Companies already subject to similar guidance and collaborating with other regulators to ensure inter-jurisdictional harmonization.

FSRA is committed to working and coordinating with other regulators to better harmonize on IT Risk, to reduce the burden for regulated entities and individuals.


FSRA is not considering excluding non-Ontario incorporated insurance companies and reciprocals from the guidance. This guidance is a crucial tool that FSRA will use to assess suitability, receive notifications of IT Risk incidents, and generally supervise non-Ontario incorporated insurance companies and reciprocals on IT Risk management.

Pensions and Incident Reporting
  • HOOPP, OMERS, CAAT, OPTRUST
  • OPB,
  • OBA

Stakeholders suggested that FSRA refine its approach to pension plan administrators notifying FSRA following material IT risk incidents.

FSRA has updated the guidance to advise pension plan administrators to only notify FSRA in the event that the incident:

  • Disrupts the operations of the pension plan to the extent that the plan can no longer be effectively administered.
  • Compromises confidential plan member data.
  • Impacts the ability of the administrator to pay benefits.

Responsibility for IT Risk Oversight
  • Manulife
  • CLHIA
  • IBC

Some stakeholders do not support insurers being ultimately responsible for IT risk management oversight in various distribution channels.

FSRA has updated the guidance to better align with the Canadian Council of Insurance Regulators (“CCIR”) / Canadian Insurance Services Regulatory Organizations (“CISRO”) Guidance on Conduct of Insurance Business and Fair Treatment of Customers (“FTC Guidance”). This stresses that insurers are ultimately responsible for the fair treatment of customers, but this does not absolve intermediaries of their own responsibilities for which they are accountable.


FSRA has further updated this section of the guidance to enhance alignment with the Office of the Superintendent of Financial Institutions (“OSFI”) Guideline B-10 – Third-Party Risk Management to stress a risk-based approach to managing distribution channels and outsourced functions related to IT Risk.

Protection of Confidential Information
  • OPB
  • DUCA
  • HOOPP, OMERS, CAAT, OPTRUST
  • OPB

A stakeholder suggested that FSRA removes Practice 7 and the ‘Approach’ section “Notification of material IT risk incidents” from the guidance, the disapplication of those provisions to the Pensions Sector, or delay the implementation of those provisions until a legal framework exempting such information from disclosure by FSRA is in place.


Other stakeholders raised concerns over the protection of confidential information in notifying FSRA.

FSRA will maintain the confidentiality of any incidents reported by regulated entities and individuals to the extent allowed by the law.


FSRA is developing a portal through which regulated entities and individuals can notify FSRA and provide supporting documentation securely.

Personal Information Protection and Electronic Documents Act (“PIPEDA”)
  • FP Canada
  • Manulife
  • CAIR
  • CLHIA
  • OSBIE
  • CURIE
  • OMIA
  • IFB

Some stakeholders expressed a belief that the guidance duplicates existing or similar requirements under PIPEDA.

FSRA will work with other regulators, where possible, to harmonize and collaborate to reduce the burden on its regulated entities and individuals.


Regulated entities and individuals are expected to comply with this guidance, which is distinct and separate from existing obligations, including PIPEDA.


While this guidance and PIPEDA do share some desired outcomes, such as the protection of confidential information, this guidance aims to achieve outcomes in addition to the outcomes outlined in the PIPEDA. for example, this guidance is consistent with FSRA’s statutory objects which includes:

  • promoting high standards of business conduct
  • protecting the rights and interests of consumers; and fostering strong, sustainable, competitive and innovative financial services sectors.

Credentialing Bodies
  • FP Canada
  • IFB

A stakeholder noted that under the Financial Professionals Title Protection Act, FSRA can revoke a CB’s approval for lack of compliance with the proposed guidance, and it will be important to establish processes in the event a CB’s approval is revoked so that individual FPs and FAs who have earned the credential in good faith are not disadvantaged.

In its Spring 2023 Budget Bill (Bill 85), the government of Ontario introduced an amendment to the Financial Professionals Title Protection Act, 2019 (“FPTPA”) to give FSRA rule-making authority governing the use of protected titles by credential holders when a credentialing body’s approval is revoked, or it ceases to operate. Bill 85 received Royal Assent on May 18, 2023.


FSRA will work closely with government and stakeholders to establish an approach that ensures continued consumer protection and considers the potential impact on credential holders (individuals using the FP/FA titles).