Organizations that issue credentials under Ontario’s new regime for regulating the use of financial planner and advisor titles must meet cybersecurity guidelines being proposed by the Financial Services Regulatory Authority of Ontario (FSRA).
“FSRA is consulting on guidance to help the sectors and individuals it regulates effectively manage a threat to their IT systems, infrastructure and data,” the agency said in a release.
The guidance covers seven fundamental areas for firms to address in guarding against cyber threats: governance, IT risk management, controls for data integrity and privacy, outsourcing controls, incident recovery procedures, business continuity plans, and an obligation to notify the regulator of material incidents.
The guidance sets out provisions for specific sectors including the planner/advisor sector, which would require approved credentialing bodies to meet certain standards. Those include measures to protect their IT systems and data, and processes to mitigate any disruptions to operations.
The proposed guidance also indicated that FSRA reviews will consider whether credentialing bodies have a cybersecurity strategy that includes strong controls to protect electronic data; policies for ensuring the use of strong passwords, firewalls and other measures; electronic data backups; and cloud storage.
It also said the regulator may conduct compliance reviews based on IT risk — and that the proposed guidance will be used to assess whether credentialing bodies are meeting its standards.
While the guidance applies to insurance agents, adjusters and agencies, the guidance noted that “FSRA considers insurers to be ultimately responsible for ensuring that IT risks are being effectively managed through all of its distribution channels and outsourced functions.”
The consultation period is open until March 31.