Better protecting consumers against harmful IT risks

FSRA releases final IT Risk Management Guidance

The Financial Services Regulatory Authority of Ontario (FSRA) is taking active steps to further protect consumers and their data against harmful IT risks, like cyber threats.

Today we released our final Information Technology (IT) Risk Management Guidance following robust consultation.

The Guidance will help FSRA-regulated sectors and individuals effectively manage threats to their IT systems, infrastructure and data.

The Guidance includes:

  • seven practices for effective IT risk management
  • a process to notify FSRA in the event of an IT risk incident
  • sector-specific requirements for credit unions and caisses populaires, Ontario-incorporated insurance companies and reciprocals, and pension plan administrators

Regulated entities must still comply with existing requirements related to IT risk and the protection of personal information, including the requirements of the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

In response to the feedback gathered from January 23 to March 31, 2023, FSRA amended the proposed guidance as identified in the consultation summary. Some changes include:

  • The effective date of the Guidance has been changed from June 2023 to April 1, 2024.
  • The IT incident reporting timeframe has been updated to “as soon as feasible, which would normally fall within the 48 to 72 hours range”.
  • More flexibility to inform FSRA in the event of a material incident, including using a secure portal.

FSRA thanks all stakeholders for their comments and feedback. The final Guidance and summary of feedback are now available on FSRA's website.

Learn more:

FSRA continues to work on behalf of all stakeholders, including consumers, to ensure financial safety, fairness, and choice for everyone.

Learn more at