Ontario financial regulator issues cybersecurity preparedness guidance for mortgage brokering sector

Guuidance adopts Mortgage Broker Regulators' Council of Canada's guidance

Ontario financial regulator issues cybersecurity preparedness guidance for mortgage brokering sector

The Financial Services Regulatory Authority of Ontario (FSRA) recently released guidance on cybersecurity preparedness to prevent unauthorized access to sensitive client information in the mortgage brokering sector.

The guidance adopts the Mortgage Broker Regulators’ Council of Canada’s “Cybersecurity Guidance,” which provides leading practices for preventing cyber incidents and appropriately responding to them when they occur. It affects all licensees carrying out mortgage brokering activities across Ontario, including mortgage agents, brokers, brokerages, and administrators.

The guidance requires mortgage brokerages and administrators to notify the FSRA through this email address if they experience a cybersecurity incident that could materially impact client information. Indicators that a cybersecurity incident could have a material impact on clients are as follows:

  • The security breach impacted a system or database that stores a large amount or a sizable proportion of sensitive client information;
  • If the mortgage brokerage or administrator would, in the normal course of operations, escalate the matter to or inform senior management accountable for information security;
  • The security incident requires non-routine measures or resources by the mortgage brokerage or administrator;
  • The security incident has resulted in a cyber insurance claim being initiated;
  • The breach is a repeat incident and could have a material impact on a cumulative basis.

Once the FSRA becomes aware of a cybersecurity incident, it activates its “Market Conduct Protocol for Cybersecurity.” This protocol outlines the FSRA’s expected engagement with a licensee to monitor actions in investigating and responding to the incident.

Under the guidance, the engagement would be continuous until the FSRA has complete knowledge of the extent of the potential data breach and what information was accessed, a confirmation that any corrupted information has been restored or the breach has been mitigated or contained, and a confirmation that all systems are back online and fully functional.

In addition, the FSRA should have a confirmation that all affected stakeholders, including clients and relevant privacy regulators, have been notified and reasonable steps have been taken by the licensee entity to limit potential client harm, and complete knowledge of the safeguards that have been put in place to ensure the licensee is protected from similar future breaches. The FSRA assured that it would maintain the confidentiality of incidents reported to the extent allowed by the law.

The guidance took effect on August 18 and will be subject to future review no later than August 18, 2025.