ID
2023-001

Type
Policy
Sector
Cross Sector
Status
Public comment closed
Date
Comment Due Date

Thank you for providing your feedback on FSRA’s proposed IT risk management Guidance.

We appreciate the comments and questions received to date. Your feedback will help to inform our final Guidance.

The request for submissions is now closed.

FSRA is consulting on guidance to help the sectors and individuals it regulates effectively manage a threat to their IT systems, infrastructure and data.

IT risks, like cyber threats and aging digital infrastructure, can result in financial losses and harm to consumers.

Regulated entities must comply with existing requirements related to IT risk and the protection of personal information, including the requirements of the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

This guidance is applicable to all FSRA-regulated sectors, sets out seven practices to effectively manage IT risk and the steps required to notify FSRA in the event of an IT incident.

  1. Governance – people in place with sufficient expertise to manage IT risk
  2. Risk Management – policies and procedures in place to manage IT risk
  3. Data Management - processes, procedures and controls in place to ensure data quality, integrity, privacy
  4. Outsourcing – controls in place to manage risks related to outsourcing
  5. Incident Preparedness – processes in place to be able to recover from an IT incident
  6. Continuity and Resiliency – ensure the continuity of their IT assets to enable them to deliver services following an incident
  7. Notification of Material IT Risk Incidents – notification to regulator(s) in the event of a material IT risk incident

The guidance also outlines content for the effective management of IT risks for the following sectors:

  • Credit union
  • Mortgage brokering
  • Insurance
  • Pensions
  • Financial Planners and Financial Advisors

The consultation period is now open. FSRA invites stakeholders and the public to submit feedback until March 31, 2023.

Learn more:

#

Before we begin, please make sure you do not include any personal or private financial information. If your inquiry does require this information be shared with us, please call us at 1-800-668-0128 or email us at [email protected] for instructions.

By submitting your content, you agree to have your materials posted on our engagement portal, used in reports and other materials prepared by Financial Services Regulatory Authority of Ontario (FSRA) that may be shared with the public. Content is moderated so that all posts are respectful and professional. The Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c.F.31, applies to all online content.

Sector Comment Date posted
Loan and Trust
[2023-001] Marvin Cajina - Advanced Mortgage Investment Corporation
Hello,

I am also the lead accounting for a mortgage brokerage. My comment will applies to my experience managing mortgage brokerage and loan and trust companies. In my opinion, Obtaining an Understanding of the System should be the 8 bullet in your guideline. From my experience knowing and having a solid understanding of the system is half the battle.

Regards,

Marvin Cajina
Property and Casualty and General Insurance
[2023-001] John Taylor - Ontario Mutual Insurance Association
Please find attached OMIA's response to the proposed guideance on IT risk management.


Financial Planners and Advisors
[2023-001] Devin Mataseje - FP Canada
Cross Sector
[2023-001] Jillian Fernandez - The Institute of Internal Auditors (IIA) -Canada
On behalf of The Institute of Internal Auditors (IIA), I am pleased to submit the following comments for consideration, in relation to FSRA’s proposed Information Technology Risk Management Guidance. The IIA welcomes further engagement with FSRA regarding this proposed Guidance and/or any other matters related to governance in Ontario’s financial services industry. If you have any questions regarding this letter or issues related to internal audit or organizational governance, I’d kindly ask you to please contact me.

Sincerely,
Jillian Fernandez
Credit Unions and Caisses Populaires
[2023-001] Carol - Normandeau
Please find attached Libro's response to Consultation ID 2023-001 thank you.
Cross Sector
[2023-001] Jillian Fernandez - The Institute of Internal Auditors-Canada
On behalf of The Institute of Internal Auditors (IIA), I am pleased to submit the following comments for consideration, in relation to FSRA’s proposed Information Technology Risk Management Guidance. The IIA welcomes further engagement with FSRA regarding the proposed Guidance and/or any other matters related to governance in Ontario’s financial services industry. If you have any questions regarding this letter or issues related to internal audit or organizational governance, I’d kindly ask you to please contact me.

Sincerely,
Jillian Fernandez
Life and Health Insurance
[2023-001] Lindsay Walden - Manulife
Respectfully, Manulife's submission to the Financial Services Regulatory Authority on its Proposed Guidance for IT Risk Management.
Property and Casualty and General Insurance
[2023-001] Sandra Taylor - Canadian Association of Insurance Reciprocals
Please see attached comments from the Ontario regulated reciprocals.
Life and Health Insurance
[2023-001] Sarah Hobbs - Canadian Life and Health Insurance Association
Please see attached the submission of the Canadian Life and Health Insurance Association (CLHIA) on the proposed IT risk management guidance.
Auto Insurance
[2023-001] Kim Donaldson - Insurance Bureau of Canada
Please find attached IBC's submission on the IT Risk Management.
Thank you,

Kim
Property and Casualty and General Insurance
[2023-001] Jeff Pratt - Ontario School Boards' Insurance Exchange
Credit Unions and Caisses Populaires
[2023-001] Damian Chiu - Canadian Credit Union Association
Please see attached.
Cross Sector
[2023-001] Giuseppina Marra - Desjardins Group
Good Day,

Hereby, Desjardins is respectfully submitting its comments regarding FSRA's proposed guidance on both IT Risk Management and Operational Risk and Resilience.

Kind regards,
Life and Health Insurance
[2023-001] Susan Allemang - Independent Financial Brokers of Canada
Attached are the comments from IFB on the Proposed Information Technology (IT) Risk Management Guidance.
Property and Casualty and General Insurance
[2023-001] Patrick Lundy - CURIE Canadian Universities Reciprocal Insurance Exchange
Please see attached comments on the newly proposed guidance about IT Risk Management for the P&C, and General Insurance Sector.
Credit Unions and Caisses Populaires
[2023-001] Sunny Sodhi - Meridian Credit Union
Thank you for providing an opportunity to submit these questions. We look forward to continued dialogue.
Pensions
[2023-001] Ric Marrero - The Association Of Canadian Pension Management (ACPM)
Credit Unions and Caisses Populaires
[2023-001] Riz Ahmad - DUCA Financial Services Credit Union Ltd (DUCA)
Pensions
[2023-001] Saskia Goedhart - HOOPP, Ontario Teachers, OMERS, CAAT, OPTRUST
Pensions
[2023-001] Patrick Simon - Ontario Pension Board (OPB)
Cross Sector
[2023-001] Ontario Bar Association - Ontario Bar Association
Cross Sector
[2023-001] Barbara Walancik, Teri Truong - TELUS Health
No questions have been asked about this consultation yet.