Ontario’s financial services regulator has released its final guidance document on managing information technology (IT) risks.
The Financial Services Regulatory Authority of Ontario (FSRA) said the guidance was developed with the goal of equipping regulated sectors and individuals with tools to navigate and mitigate risks to their IT systems, infrastructure, and sensitive data.
The guidance includes best practices aimed at bolstering effective management of IT risks. These practices cover the areas of governance, risk management, data management, outsourcing, incident preparedness, continuity and resiliency, and the notification of material IT risk incidents.
The guidance also specifies a reporting process in the event of IT risk incidents and sector-specific requirements tailored to credit unions, caisses populaires, Ontario-incorporated insurance companies and reciprocals, and pension plan administrators.
The FSRA also noted that it incorporated the feedback it had gathered for an earlier version of the IT risk management guidance.
The changes it made per this feedback include updating the IT incident reporting timeframe to “as soon as feasible, which would normally fall within the 48 to 72 hours range.”
The regulator also introduced more flexibility in reporting material incidents, providing the option to use a secure portal.
FSRA recently held a public consultation on its proposed statement of priorities and budget for 2024-2025, which included a plan to modernize its systems and processes and strategies to support reform and new regulations.
Prior to soliciting feedback for 2024-2025, FSRA hinted at plans to introduce a new regulatory framework for distribution networks. It said it wanted to address issues related to agent recruitment, training, and conduct that were highlighted in two compliance reports covering “troubling” business practices in the life insurance sector.
What are your thoughts on this story? Feel free to comment below.
