FSRA IT Risk Incident Notification 15-Minute SOP: Free Download
Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
This is the 15-minute Standard Operating Procedure that Ontario financial brokerages use to meet FSRA’s IT risk incident notification expectation without panic. It is a numbered playbook covering the first hour after an incident: who calls FSRA, what gets said, what data is captured, what gets sent in writing, and which broker-of-record signatures lock the record. The download is a PDF SOP, a one-page wall card for the office, and an email and call-script template.
What’s in this download
- A numbered 15-minute SOP covering the first hour after an IT incident, with named roles, deadlines, and decision points.
- An FSRA call script and written-notification email template anchored to the FSRA IT Risk Management Guidance (2024) and MBRCC Cybersecurity Principles (2025).
- A one-page laminated wall card for the office (broker-of-record desk, server closet, kitchen).
- A post-incident written-record template that satisfies the FSRA examination question on incident logging.
Talk to Fusion about FSRA-aligned IT
What’s in this download?
The SOP is anchored to the Financial Services Regulatory Authority of Ontario’s IT Risk Management Guidance (published 2024, updated 2025) and the Mortgage Broker Regulators’ Council of Canada Cybersecurity Principles (2025). FSRA does not publish a fixed time-to-notify like the federal PIPEDA 72-hour clock, but it does expect material IT incidents to be notified promptly, in writing, and with a defensible internal incident-management record.
The 15-minute window in this SOP is not a regulator-mandated deadline; it is the operational discipline that turns “prompt” into something a broker-of-record can demonstrate.
The operational tools inside the document do four things. First, they assign named roles: who is the on-shift incident commander, who calls FSRA, who locks the building, who notifies the carrier, who notifies the lender partners if the incident is on the FilogixVelocity side. Second, they give a literal call script for the FSRA notification, so the person on the phone is not improvising under stress.
Third, they give the email template for the written follow-up, formatted the way FSRA examiners ask for it. Fourth, they capture the post-incident written record in a single editable document so the file is examiner-ready.
The wall card is the piece most brokerages tell us they wish they had. It is laminated, three colours, and lives in the kitchen, on the broker-of-record desk, and on the back of the server closet door.
When an admin sees a ransomware screen on Monday morning before the principal broker is in, the wall card tells them exactly which two phone numbers to call and which two email addresses to BCC, with the first message ready to send.
One data point from our client work: a 12-agent Halton-region brokerage that adopted this SOP after a near-miss in 2024 used it for real eight months later when a vendor system was compromised. FSRA notification was made inside 47 minutes from incident detection, the written follow-up went out the same day, and the FSRA market conduct review closed without a formal finding.
The principal broker has said publicly that the SOP and the wall card were the difference between a finding and a clean close. Reach out if you want to talk through how the SOP fits your specific carrier reporting obligations.
Who is this for?
This is for the principal broker of a 10 to 25 agent mortgage brokerage in Ontario, regulated by FSRA under the Mortgage Brokerages, Lenders and Administrators Act. The person who, in an incident, will be the one whose name is on the FSRA notification email. If that is you, this SOP is the document that means you are not drafting that email from scratch at midnight.
It is also for the principal broker of a Property and Casualty brokerage regulated by FSRA under the Insurance Brokers Act, where the same IT Risk Management Guidance applies. The SOP’s call script and written-notification template work for both mortgage and P&C, with two minor wording variations called out in the document.
Larger brokerages (25-plus agents) can adapt the named-role section to a deeper org chart; the underlying clock and the call script do not change.
It is not intended for federally regulated banks or for the OSFI-supervised side of a dual-regulated entity. FSRA-regulated brokerages with provincial scope are the audience. The SOP touches on MBRCC and IBAC, but is not written as an IIROC, OSFI, or AMF document. If your entity is dual-regulated, the SOP can serve as the FSRA-facing piece while a parallel federal-side procedure runs alongside it.
Download the FSRA IT Risk Incident Notification SOP
Fill in the four fields below. We will send the SOP PDF, the wall card PDF (print-ready), and the call-script and email templates to your brokerage email within five minutes. The wall card is sized for letter paper with a single-fold option for the kitchen pinboard.
Form not loading? Email us directly and we’ll send the SOP within the hour.
Related deep dives
- The full FSRA IT Risk Incident Notification SOP walkthrough: the regulators, the timeline reasoning, and the clause-by-clause logic.
- Cybersecurity for Ontario financial brokerages: the controls and the budget that make the SOP something you can actually execute.
- MBRCC Cybersecurity Principles for mortgage brokerages: the national framework FSRA reads alongside its own guidance.
- FilogixVelocity account hardening for mortgage brokers: the lender-portal piece that triggers most of the incidents the SOP is built for.
- FSRA mortgage brokerage penalty 2026: cybersecurity lessons: the published enforcement case study that anchors the “why” of the SOP.
Book a working session on the SOP
Frequently Asked Questions
What’s the download?
A PDF SOP (numbered 15-minute playbook, roughly 12 pages), a print-ready laminated wall card PDF, a Microsoft Word call-script and email-notification template (editable for firm-specific phone numbers and carrier contacts), and a one-page post-incident written-record template. The total payload is two PDFs and one Word document. Everything is anchored to the FSRA IT Risk Management Guidance and the MBRCC Cybersecurity Principles.
How will my data be used?
Your name, brokerage name, role, and email go into Fusion Computing’s contact system. We will email you the SOP files within minutes. We may send occasional updates relevant to Canadian financial brokerage IT and FSRA developments, no more than once a month. Your data is never sold, never shared with FSRA, never shared with carriers, and never shared with software vendors. Unsubscribe is one click.
Is this just a sales pitch?
No. The SOP, the wall card, the call script, the email template, and the record-keeping form are the deliverable.
Most brokerages that download the file never speak to Fusion, and the SOP works without our involvement. We make it free because regulator-anchored documents like this one are how Canadian brokerages find out we exist. If you want a conversation about Fusion handling the IT controls that sit behind the SOP, you can reach out on your own timeline.
Do I need to be an existing FC client?
No. The SOP is free for any FSRA-regulated brokerage in Ontario, any P&C brokerage, and any compliance consultant working with brokerages to download and adapt. It is published under a permissive use-and-modify license inside the brokerage. The only restriction is no resale and no removal of the Fusion Computing attribution footer on the cover page. Most downloaders are not Fusion clients, and that is fine.
Can I share it with my partner or colleague?
Yes. Share it with your co-principal broker, your compliance officer, your IT vendor, your carrier, your IBAC chapter, your FSRA market conduct contact, or your insurance broker. Attribution to Mike Pearlstein and Fusion Computing must remain on the cover page. We’d prefer your colleague download their own copy so we can keep them current when the SOP is updated, but we’re not going to police it.
Who wrote this?
Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Fusion has been doing regulator-anchored IT work for Canadian financial brokerages, law firms, and healthcare clinics since 2012. The SOP was built against the FSRA IT Risk Management Guidance (2024, updated 2025), the MBRCC Cybersecurity Principles (2025), and three real incident timelines that Fusion ran with FSRA-regulated brokerage clients in the past 18 months. It was reviewed by an outside FSRA compliance consultant before publication.
Bottom line
FSRA does not publish a fixed time-to-notify for IT incidents the way the federal PIPEDA regime publishes a 72-hour breach notification clock. What FSRA does publish is an expectation: prompt written notification, an internal incident-management record, and the broker-of-record being able to demonstrate both in a market conduct review. The 15-minute SOP is the operational discipline that turns “prompt” into something a broker-of-record can hand to an examiner without a delay.
If you want help with the IT controls behind the SOP, the FilogixVelocity account hardening, the staff phishing training cadence the MBRCC Cybersecurity Principles expect, or the carrier reporting workflows, that is work Fusion does for Ontario brokerages every week.
