Actively guarding against cyber threats to better protect consumers

FSRA is consulting on guidance to help the sectors and individuals it regulates effectively manage a threat to their IT systems, infrastructure and data.

IT risks, like cyber threats and aging digital infrastructure, can result in financial losses and harm to consumers.

Regulated entities must comply with existing requirements related to IT risk and the protection of personal information, including the requirements of the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

This guidance is applicable to all FSRA-regulated sectors, sets out seven practices to effectively manage IT risk and the steps required to notify FSRA in the event of an IT incident.

  1. Governance – people in place with sufficient expertise to manage IT risk
  2. Risk Management – policies and procedures in place to manage IT risk
  3. Data Management - processes, procedures and controls in place to ensure data quality, integrity, privacy
  4. Outsourcing – controls in place to manage risks related to outsourcing
  5. Incident Preparedness – processes in place to be able to recover from an IT incident
  6. Continuity and Resiliency – ensure the continuity of their IT assets to enable them to deliver services following an incident
  7. Notification of Material IT Risk Incidents – notification to regulator(s) in the event of a material IT risk incident

The guidance also outlines content for the effective management of IT risks for the following sectors:

  • Credit union
  • Mortgage brokering
  • Insurance
  • Pensions
  • Financial Planners and Financial Advisors

The consultation period is now open. FSRA invites stakeholders and the public to submit feedback until March 31, 2023.

Learn more:

FSRA continues to work on behalf of all stakeholders, including consumers, to ensure financial safety, fairness, and choice for everyone.

Learn more at