On August 18, 2022, the Financial Services Regulatory Authority of Ontario (FSRA) – Ontario’s financial sector regulator – adopted the Mortgage Broker Regulators' Council of Canada's Cybersecurity Guidance (Guidance). The Guidance outlines best practices for preventing cyber incidents and appropriately responding to them when they occur.
The FSRA adopted the Guidance in response to the growing risk of cyberattacks. Cyberattacks pose a real risk of harm to the mortgage industry given the flow of information between various parties including mortgage brokers, lenders, investors, borrowers and third-party service providers. These parties handle sensitive client data on a continuous basis in the ordinary course of business and as such are appealing targets to cybercriminals.
The Guidance is applicable to individuals and entities regulated by FRSA under Ontario’s Mortgage Brokerages, Lenders and Administrators Act, including:
Notably, the Guidance requires that mortgage brokerages and administrators notify the FRSA at MBconduct@fsrao.ca if they experience a cybersecurity incident that could have a material impact on client information. The following are indicators that the FRSA should be notified:
The security breach impacted a system or database that stores a large amount or a sizable proportion of sensitive client information
If the mortgage brokerage or administrator would, in the normal course of operations, escalate the matter to or inform senior management accountable for information security
The security incident requires non-routine measures or resources by the mortgage brokerage or mortgage administrator
The security incident has resulted in a cyber insurance claim being initiated
The breach is a repeat incident and could have a material impact on a cumulative basis
Following the notification of a cybersecurity incident, the FRSA will activate the FSRA’s Market Conduct Protocol for Cybersecurity. The FRSA will continue to monitor the notifying party’s response to the cyber incident until the FRSA has:
A complete understanding and knowledge of the extent of the potential data breach and what information was accessed
Confirmation that any corrupted information has been restored and/or that the breach has been mitigated or contained
Confirmation that all systems are back online and fully functional
Confirmation that all affected stakeholders, including clients and relevant privacy regulators, have been notified, and reasonable steps have been taken by the licensee to limit potential client harm
A complete understanding and knowledge of the safeguards that have been put in place to ensure the licensee is protected from similar future breaches
The Guidance is an additional safeguard to assist mortgage professionals in protecting clients from the growing risk of cyberattacks and incidents. Mortgage brokerages and administrators have an existing legal obligation under federal law to ensure personal data collected is maintained securely and protected from personal loss, unauthorized access and data theft. Further, the Guidance develops the provisions outlined by the Mortgage Broker Regulators’ Council of Canada’s Code of Conduct and the accompanying cyber preparedness requirements.
We note that the introduction of this Guidance is part of a growing trend in which regulators are requiring mandatory notification of cybersecurity incidents. One such example includes Bill C-26 which was recently introduced in the House of Commons of Canada. If passed, as currently drafted, it would require “designated operators” (the classes of organizations who would be subject to this legislation have not yet been identified) to report a “cybersecurity incident” to the Communications Security Establishment and their applicable regulator. For more information on Bill C-26 please see our recent bulletin on the topic.
Our team is available to assist regulated organizations in the event that they experience a cyber security incident.
For more information, please contact:
Sunny Handa +1-514-982-4008
John Lenz +1-514-982-6308
Allison Sibthorpe +1-514-883-4205
or any other member of our Cybersecurity team.
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.
For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at firstname.lastname@example.org.
© 2022 Blake, Cassels & Graydon LLP