Ontario's insurance regulator now has a formal approach for judging how well insurers handle cyber attacks, climate shocks and other operational threats.
The Financial Services Regulatory Authority of Ontario published its Operational Risk and Resilience Guidance for Ontario-incorporated insurance companies and reciprocal insurance exchanges, and it took effect on June 8, 2026. The document, numbered PC0050APP, lays out how the regulator will size up the way insurers spot, manage and recover from the disruptions that can interrupt their operations.
The guidance sits under FSRA's Risk Based Supervisory Framework and rests on four principles: governance, risk identification and assessment, risk management, and resilience. Together they describe what FSRA expects to see when it examines an insurer's operations. None of it is mandatory. Still, FSRA states that the practices it describes can, depending on the circumstances, show whether an insurer has met its obligations, and the regulator says it may weigh an insurer's adoption of the principles in its supervisory approach.
FSRA defines operational risk as the risk of loss from inadequate or failed internal processes, people and systems, or from external events. That definition takes in legal risk but leaves out strategic and reputational risk. The regulator then turns to the threats it cares most about: third-party risk, cyber risk, data risk, and climate risk, both physical and transition.
Technology runs through the whole document. FSRA notes that insurers increasingly lean on third-party providers, including cloud services, and that this reliance has exposed them to new risks and vulnerabilities. It wants insurers to control who can reach their networks, to maintain and safely dispose of technology, to train staff on cyber security, and to give the regulator timely notice of material IT incidents. Accountability, FSRA stresses, stays with the insurer even when work is outsourced.
The Board and Senior Management carry ultimate responsibility for operational risk oversight. FSRA expects insurers to keep business continuity and disaster recovery plans, to test them against severe but plausible scenarios, and to learn from past failures. During supervision, the regulator may require an insurer to produce those plans to show how it would hold up under stress.
Climate gets its own treatment in the guidance's Information section, which summarizes disclosure standards from bodies including the International Sustainability Standards Board, whose IFRS S2 covers climate-related disclosures, and the Canadian Sustainability Standards Board, which proposed its own standards on March 13, 2024. FSRA flags that climate events can push up insurance claims for property damage and trigger claims under liability policies. The regulator currently assesses insurers' ESG and climate efforts as part of their resilience rating, and signals it may issue further guidance.
The full text of the guidance is available at https://www.fsrao.ca/media/26376/download. FSRA will review it no later than June 8, 2031.
