The Financial Services Regulatory Authority of Ontario (FSRA) has proposed new guidance for insurers and other financial services businesses on how they can manage their IT risks – and it has invited the public to provide any constructive feedback on the matter.
According to the regulator, IT risk “represents a significant and growing threat to the business, operations and stability” of the sectors it oversees, and can ultimately impact even consumers, the FSRA explained in its guidance.
While the guidance has specific stipulations for individual financial sectors, it has one main provision for all businesses: All regulated entities must comply with existing IT risk and data protection requirements, which include those outlined by the Personal Information Protection and Electronic Documents Act (PIPEDA).
All regulated businesses under the FSRA’s jurisdiction must also put into practice the following:
Proper guidance and oversight of its IT risks; there must be clear responsibilities for the management of IT risks, as well as accountability.
Regulated entities must rely on industry-accepted practices to manage their IT risks.
They must also use industry-accepted strategies to manage and secure confidential data.
Regulated entities must manage the IT risks associated with any outsourced or co-sourced activity/function/service.
They must be prepared to effectively detect, log, manage, resolve, recover, monitor, and report IT incidents.
They must ensure the continuity of their IT assets and their ability to deliver critical services during and following an incident.
The regulated entities must notify regulators in the event of a material IT risk incident.
The FSRA has welcomed both stakeholders and the public to submit their feedback on the guidance. The consultation period runs until March 31, 2023.
Last month, the FSRA updated its minimum capital test guidance for P&C insurers. The updated minimum capital test guideline – which replaces the Financial Services Commission of Ontario’s 2019 MCT guideline – helps ensure that insurers in Ontario are financially sound and can fulfil their commitments to their clients.
What else can insurers do to ensure the data they handle is safe from data breaches and the like? Feel free to share your thoughts in the comments section below.