Compliance News | July 25, 2024

Guidance on Information Technology Risk Management

The Financial Services Regulatory of Ontario (FSRA) released its IT Risk Management Guidance on April 1, 2024.

The guidance, which is in effect as of the release date, affects all FSRA-regulated entities, which include pension and benefits plans. The guidance includes seven practices for effective IT risk management and outlines the process for notifying FSRA in the event of an IT risk incident.

Get the PDF version

Guidance on Information Technology Risk Management Download Now

Practices for effective IT risk management

FSRA expects all regulated entities or individuals to follow these practices:

  • Have proper governance and oversight of its IT risks
  • Rely on industry accepted practices to effectively manage its IT risks
  • Use industry accepted strategies to effectively manage and secure confidential data
  • Effectively manage the IT risks associated with any outsourced activity, function and service
  • Be prepared to effectively detect, log, manage, resolve, recover, monitor and report on IT incidents in a timely manner
  • Be prepared to ensure continuity during and following an incident
  • Notify the regulator in the event of a material IT risk incident

Definition of material IT risk incidents

An IT incident may be considered material if:

  • The plan’s operations are disrupted such that the plan can no longer be effectively administered.
  • Confidential plan member data has been compromised.
  • It negatively affects other entities or individual regulated by FSRA.
  • It is likely to reoccur with other entities or individuals regulated by FSRA.

Notifying FSRA: timing and process

After a material IT risk incident occurs, plan administrators should notify FSRA within 72 hours.

Plan administrators may notify FSRA of a material incident by completing the IT risk incident notification form and sending it to FSRA by:

FSRA’s process for IT risk incidents

FSRA has established a by following this three-phase process for material IT risk incidents:

  • In Phase 1, FSRA receives notification of a material incident along with details on how the affected entity has responded and recovered.
  • In Phase 2, if FSRA determines that the protocol for IT risk incidents should be activated, FSRA will contact the entity. The entity will be required to provide regular updates on the impact of the incident.
  • In Phase 3, the plan will be required to provide FSRA with its plan to prevent a similar incident from occurring in the future.

Next steps

Trustees should implement FSRA’s recommendations and follow the seven practices outlined in the guidance.

The guidance will be reviewed no later than June 2028.

Segal can be retained to work with plan sponsors and their legal counsel on determining the implications.

For assistance or if you have questions about the regulations and the law, contact your Segal consultant or get in touch.

Speak with Us

See more insights

Business Colleagues In Meeting

Corporate Governance Developments in Canada

Our latest insight provides a recap of recent corporate governance developments in Canada. Learn what you can do to stay ahead of the curve.

Investment

Read full insight

Adults In Love Taking A Selfie On A Boat

Rollout of Services Under the New Canadian Dental Care Plan

Canadian plan sponsors: Get details on the new Canadian Dental Care Plan (CDCP), including eligibility criteria, rollout, covered services and more.

Health, Compliance

Read full insight

Teamwork

Numbers Retirement Plan Sponsors Need to Know for 2024

2024 retirement plan limits and thresholds: Get the implications of the new maximums and thresholds in a convenient, at-a-glance comparison table.

Compliance, Investment, Retirement

Read full insight

Don't miss out. Join 16,000 others who already get the latest insights from Segal.