MBRCC’s 4 Cybersecurity Principles, Decomposed Into 9 Controls for a 12-Agent Ontario Mortgage Brokerage (2026)
Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
According to the Mortgage Broker Regulators’ Council of Canada (MBRCC), four Principles for Cybersecurity Preparedness were published for the mortgage brokering sector, and FSRA adopted them for Ontario brokerages effective August 18, 2022. The four principles cover Responsibility and Resourcing, Identification and Prevention of Risks, Incident Monitoring/Detection/Response, and Third-Party Management.
They are deliberately outcome-based so a 12-agent brokerage can implement them in a way that fits its size. The unanswered question for the broker-of-record is what those four principles look like as operational controls on a Microsoft 365 Business Premium tenant on a Tuesday afternoon.
This post decomposes the four MBRCC principles into nine concrete controls a 12-agent Ontario brokerage can stand up in 12 weeks. This is a companion to our FSRA-aligned cybersecurity playbook for Ontario financial brokerages.
According to the FSRA IT Risk Management Guidance effective April 1, 2024, brokerages must demonstrate proportionate IT risk controls. According to the Canadian Centre for Cyber Security Baseline Controls (V1.2), the federal small-business floor names the specific safeguards examiners look for.
Across our managed endpoint base of Ontario professional-services brokerages, we routinely find the same four blind spots when FSRA examiners arrive: shared MFA-exempt admin accounts, deal-submission portals without conditional access, third-party brokers emailing borrower SIN to closing services, and incident playbooks that have never been tabletop-tested. The nine controls below are the ones our team has hardened the most often in the last 18 months.
Key Takeaways
- MBRCC published four principles, not nine. FSRA adopted them via Guidance MB0048INF effective August 18, 2022. The four cover responsibility and resourcing, risk identification and prevention, incident detection and response, and third-party management.
- The FSRA IT Risk Management Guidance, effective April 1, 2024, sits on top of the MBRCC principles and adds a 48 to 72 hour material-incident notification expectation routed through the IT Risk Incident Notification Form to [email protected].
- A 12-agent brokerage can decompose the four principles into nine implementation controls and stand them up on Microsoft 365 Business Premium without buying a separate cyber stack. Bundled MFA, Conditional Access, Defender for Business, and Intune cover roughly 80% of the principle-mapped evidence.
- The two evidence gaps Fusion Computing has seen most often in 2025-26 brokerage engagements are (a) the written third-party cybersecurity attestation for Filogix/Velocity/Finmo and (b) the dated incident-response runbook with a rehearsed FSRA notification path.
Book a Free MBRCC-Aligned Assessment
The four MBRCC principles, in one paragraph each
The principles are deliberately outcome-based, which gives a 12-agent brokerage room to scope its implementation. The trade is that the broker-of-record carries the burden of writing down what “adequate” looks like for a brokerage of this size. The four principles, in the order MBRCC published them, follow.
Principle 1: Responsibility and Resourcing. The brokerage must name who owns cybersecurity, allocate budget, write policy, train staff, and consider cyber liability insurance. For a 12-agent shop the named owner is almost always the broker-of-record (BOR) with a managed-services partner doing the technical lift; the written policy is a 4-6 page document covering acceptable use, MFA enforcement, incident reporting, and offboarding.
Principle 2: Identification and Prevention of Risks. The brokerage must identify cyber threats to client information, implement preventive and detective controls, run an impact assessment, and integrate cyber risk into business continuity planning. In practice this is the asset and data inventory, the MFA-on-lender-portals control, the patching cadence, and the backup runbook.
Principle 3: Incident Monitoring, Detection, and Response. The brokerage must have detection telemetry and a written incident response plan that protects borrower data and minimizes service disruption. The FSRA IT Risk Management Guidance adds a 48-to-72-hour material-incident notification expectation on top of this.
Principle 4: Third-Party Management. The brokerage must satisfy itself that its lender portals, deal-submission platforms, document signing services, and IT contractors maintain adequate cybersecurity. For a mortgage brokerage this principle is the most operationally consequential, because the borrower-SIN-bearing systems are mostly third-party (Filogix, Velocity, Finmo, BluMortgage, Newton, DocuSign).
Principle 1, Annotated: Responsibility and Resourcing for a 12-Agent Brokerage
Principle 1 reads simply: name an owner, allocate resources, write the policy, train the people, consider insurance. For a 12-agent shop the practical decomposition is two controls.
Control 1.1: Named accountable owner plus a documented governance cadence. The broker-of-record is the named owner. The governance cadence is a quarterly 60-minute review meeting where the BOR signs off on the most recent backup test, the patch compliance report from Intune, the user-access list from Microsoft Entra, and the third-party attestation status. The minutes get saved to a SharePoint folder named “Cyber Governance” that lives behind a Conditional Access policy.
Control 1.2: Written cybersecurity policy plus annual continuing-education tie-in. The policy is short (4-6 pages) and signed by every agent at onboarding plus annually. Coverage areas: acceptable use, MFA enforcement, lender-portal credential handling, incident reporting (who to call), and offboarding. The annual signature can ride alongside the brokerage’s existing continuing-education renewal, which agents are already familiar with under the Mortgage Brokerages, Lenders and Administrators Act, 2006.
According to the Canadian Centre for Cyber Security’s Baseline Cyber Security Controls (V1.2, February 18, 2020), control BC.6.1 expects an organization to invest in awareness training covering password practices, email threat identification, approved software use, internet safety, and social media protection. Pairing that scope with the brokerage’s annual continuing-education cycle is the cleanest way to land Principle 1.
Citation: The CCCS Baseline Cyber Security Controls (V1.2, February 18, 2020) are the federal-level small-business baseline that FSRA examiners will recognize. For a 12-agent brokerage with under 499 employees, the CCCS baseline is the de facto floor; meeting BC.5.1 (MFA on critical accounts), BC.2.1 (automatic patching), BC.7.2 (offline weekly backups), and BC.6.1 (employee training) satisfies most of MBRCC Principles 1 and 2 in one motion.
Need help drafting the brokerage’s 4-page cybersecurity policy? Book a free MBRCC policy review →
Principle 2, Annotated: Identification and Prevention of Risks
Principle 2 is where the brokerage builds its preventive control surface. For a 12-agent shop running mostly on Microsoft 365 Business Premium and a couple of lender-portal logins, the decomposition runs three controls.
Control 2.1: Asset and data inventory mapped to lender-portal touchpoints. List every device that touches borrower data (laptops, agent phones, BOR’s home office desktop), every cloud service that holds borrower data (Microsoft 365, deal-submission platform, document-signing service, CRM), and every lender portal credential that grants access. A simple two-tab Excel file kept current at the quarterly governance review is enough.
Control 2.2: MFA on every lender portal plus Conditional Access on Microsoft 365. This is the single most consequential control in the framework. MFA enforcement on Filogix, Velocity, Finmo, BluMortgage, and Newton, plus a Conditional Access policy on the Microsoft 365 tenant that blocks legacy authentication and requires MFA on every sign-in, eliminates the majority of credential-theft attack paths. Pair it with passkey adoption where the lender portal supports it.
Control 2.3: Patching cadence and vulnerability management on every endpoint. CCCS BC.2.1 recommends automatic patching for small organizations. On a 12-agent brokerage that means Microsoft Intune pushing Windows Update for Business with a 7-day deferral on quality updates, third-party app patching via Intune (Adobe, Chrome, Zoom), and a monthly vulnerability scan report reviewed at the quarterly governance meeting.
“Organizations should require two-factor authentication for important accounts such as financial accounts, system administrators, cloud administration, privileged users, and senior executives.”
Canadian Centre for Cyber Security, Baseline Cyber Security Controls (V1.2, February 2020), control BC.5.1
For the lender-portal credential hardening side of this control, see our companion piece on Filogix and Velocity account hardening for Canadian mortgage brokers, which walks through the per-portal MFA enrolment flow.
Principle 3, Annotated: Incident Monitoring, Detection, and Response
Principle 3 is where the FSRA IT Risk Management Guidance (effective April 1, 2024) layers in on top of the MBRCC baseline. The two work together: MBRCC says have a plan; FSRA says notify within roughly 48 to 72 hours of determining the incident is material.
Control 3.1: Endpoint detection and response on every device. For a brokerage of this size, Microsoft Defender for Business (included in Microsoft 365 Business Premium) covers endpoint detection, automated investigation, and remediation. The Defender alerts feed into a single inbox the BOR’s MSP partner monitors. The control evidence is the Defender device-inventory report plus a sample alert with a documented response.
Control 3.2: Written incident response plan with the FSRA notification path baked in. The plan is a single page. Roles cover who declares an incident, who contains, and who notifies. The decision tree defines what makes an incident “material” under the FSRA threshold (borrower SIN exposed, lender portal credential compromised, ransomware on agent device with deal files).
The contact list covers the MSP after-hours number, [email protected], the OPC breach-notification line, and the brokerage’s cyber-insurance hotline. The plan is rehearsed once a year via a 60-minute tabletop. See our FSRA IT Risk Incident Notification 15-minute SOP for the notification-form runbook.
Control 3.3: Backup and recovery posture sized for broker-of-record liability. A 12-agent brokerage running on Microsoft 365 needs immutable third-party backup of Exchange, SharePoint, OneDrive, and Teams data. Microsoft’s built-in retention is not a backup; recovery from a ransomware event needs a separately-credentialed backup target. Target RPO 24 hours, target RTO 8 business hours. Weekly restore tests get recorded in the governance log.
According to CCCS Baseline control BC.7.2, “long term backups (e.g. weekly backups) must be stored offline, but frequent backups (e.g. daily backups) may be stored online.” The offline weekly is the recovery floor; the daily online backup is what gets a real-time mailbox back after an accidental deletion.
Principle 4, Annotated: Third-Party Risk for a Lender-Portal-Centric Brokerage
In our work with Ontario brokerages, third-party management is where we routinely find the largest evidence gap: the contracts exist, but the SOC 2 reports for the deal-submission platform and the e-signing service are never re-collected, and conditional access on those integrations drifts within 90 days of a staff change. The controls below close that gap with a quarterly re-attestation cycle we have run for client brokerages since 2022.
Principle 4 is the principle most likely to surface a real evidence gap in a 12-agent brokerage. The reason is structural: borrower SIN, T4 income docs, deal-submission data, and signed mortgage applications all flow through third-party platforms (Filogix, Velocity, Finmo, BluMortgage, Newton, DocuSign). The brokerage is liable for the cyber posture of every vendor it routes borrower data through.
Control 4.1: Written third-party cybersecurity attestation per vendor. For each lender portal and IT vendor, the brokerage keeps on file either (a) a current SOC 2 Type II report, (b) a current ISO 27001 certificate, or (c) a vendor-completed cybersecurity questionnaire that the brokerage has reviewed and signed off on. The attestation gets refreshed annually at the quarterly governance review where Q1 lands.
This is the single most common evidence gap Fusion Computing has seen in 2025-2026 Ontario brokerage engagements. The lender portals themselves are well-controlled (Filogix and Velocity both publish SOC 2 reports to qualified clients), but most 12-agent brokerages never request, file, or review them.
FIELD NOTE FROM MIKE
A 12-agent Mississauga brokerage we worked with in Q1 2026 had a clean Microsoft 365 tenant, MFA on every lender portal, and Defender for Business deployed to every laptop. The principal walked into his MBRCC self-assessment confident he was 90% of the way there.
What he didn’t have was a single piece of paper attesting to the cyber posture of any of his five lender portals or his document-signing vendor. The principal had assumed the portals “came with that handled.” The MBRCC framework puts that diligence on the brokerage, not the portal.
We closed the gap by requesting SOC 2 reports from three of the five lender portals, completing the brokerage-side questionnaire for the other two, and dropping the four-document set into a SharePoint folder behind Conditional Access. That four-document folder was the single most consequential output of the engagement.
The 9-Control Decision Matrix
According to the Microsoft 365 Business Premium security feature set documented for SMB tenants, the spine of the implementation is nine controls, mapped to the four MBRCC principles, with the evidence a FSRA examiner would expect to see and the specific Microsoft 365 Business Premium feature that produces it for a 12-agent brokerage.
| Control | MBRCC Principle | Evidence FSRA would expect | FC implementation in M365 Business Premium |
|---|---|---|---|
| 1.1 Named owner + governance cadence | P1 Responsibility | Quarterly governance minutes signed by the BOR | SharePoint “Cyber Governance” library behind Conditional Access |
| 1.2 Written policy + annual signoff | P1 Responsibility | Policy doc plus dated agent signatures | DocuSign envelope per agent, filed annually |
| 2.1 Asset and data inventory | P2 Identification | Current device + portal-credential inventory | Intune device inventory + manual portal list in SharePoint |
| 2.2 MFA on every portal + CA on M365 | P2 Prevention | CA policy report + per-portal MFA confirmation | Microsoft Entra Conditional Access + portal-by-portal enrolment |
| 2.3 Patching + vulnerability management | P2 Prevention | Monthly patch compliance report | Intune Windows Update for Business + Defender Vulnerability Mgmt |
| 3.1 EDR on every device | P3 Detection | Defender device inventory + sample alert response | Microsoft Defender for Business (bundled with M365 BP) |
| 3.2 IR plan + FSRA notification path | P3 Response | Written 1-page plan + annual tabletop minutes | Plan in SharePoint + Teams channel for incident comms |
| 3.3 Backup + recovery (RTO 8h / RPO 24h) | P3 Continuity | Weekly restore test logs | Third-party M365 backup (Veeam, AvePoint, or similar) |
| 4.1 Third-party cyber attestation per vendor | P4 Third-Party | SOC 2 / ISO 27001 / completed questionnaire per portal | SharePoint “Vendor Attestations” library, refreshed annually |
Reading the matrix honestly: eight of the nine controls live inside Microsoft 365 Business Premium at no additional licence cost. The ninth (immutable M365 backup) is a CAD $4-7 per user per month third-party add-on. For a 12-agent shop the all-in incremental cost on top of M365 Business Premium licensing is roughly CAD $50-100 per month in tooling plus the MSP retainer that runs the cadence.
Want this matrix translated into a 12-week deployment plan? Book a free MBRCC readiness review →
The four most common evidence gaps
First-person field observation: according to Fusion Computing’s Ontario mortgage-brokerage engagement notes, across our managed-endpoint client base in 2025-2026 four documentary gaps surface in roughly seven out of ten FSRA-aligned reviews. The pattern is consistent: technical controls are usually adequate; the evidence trail (policy text, attestation log, tabletop minutes, vendor SOC 2) is what is missing when an examiner asks.
- Don’t skip the third-party attestation file. Filogix, Velocity, Finmo, BluMortgage, Newton, and DocuSign all publish or share security documentation. The brokerage that has nothing on file fails Principle 4 even if every portal is well-controlled. Build the attestation library first, before the rest of the implementation.
- Don’t conflate M365 retention with backup. Native retention does not survive an attacker with admin credentials. Recovery from a ransomware event needs a separately-credentialed backup target. Budget for the third-party add-on at engagement kickoff, not after the first restore test fails.
- Don’t leave the FSRA notification path untested. The 48-to-72-hour window starts the moment the brokerage decides the incident is material. A BOR who has never opened the IT Risk Incident Notification Form will spend the first hour finding it instead of completing it. Rehearse the form once a year.
- Don’t treat the policy as a one-time deliverable. The MBRCC framework expects the policy to be re-signed annually and updated when material things change (new lender portal, new agent, new vendor). A 2022 policy that hasn’t been reviewed since signing is its own finding.
“We had MFA on every lender portal and a backup we tested every week. What we didn’t have was a signed page saying we did. The MBRCC framework cared about the page.”
How FSRA’s 2025-26 enforcement context raises the stakes
According to FSRA enforcement disclosures, the MBRCC principles existed for two years before visible cyber enforcement began. The shift came with the FSRA IT Risk Management Guidance effective April 1, 2024 and the Authority’s 2025-26 supervision cycle, which produced a notable run of monetary administrative penalties against Ontario mortgage brokerages for compliance failures.
For the operational reality of what an enforcement-grade cyber finding looks like, see our companion piece on the FSRA mortgage brokerage penalty teardown, which walks through what a 2025-26 enforcement matter actually contained and how a 12-agent brokerage avoids landing in the next one.
What “reasonable” cybersecurity costs a 12-agent brokerage in 2026
The honest answer for a 12-agent Ontario brokerage running on Microsoft 365 Business Premium: roughly CAD $50-100 per month in incremental tooling (mostly the M365 backup add-on), plus CAD $3,500 to $5,500 one-time for the 12-week implementation (policy draft, governance cadence setup, vendor attestation collection, IR plan, tabletop exercise, runbook documentation), plus an ongoing MSP retainer that varies by scope.
The MBRCC framework does not require a brokerage to spend more than that. The framework expects the brokerage to have made deliberate choices and written them down. Most 12-agent brokerages overspend on tools and underspend on the document trail. Reverse the ratio.
Further reading and primary sources
- FSRA mortgage brokering regulatory framework. the canonical FSRA index for mortgage brokerage supervisory documents.
- FSRA general insurance regulatory framework. FSRA supervisory expectations for the insurance brokerage sector.
- OSFI B-13 Technology and Cyber Risk Management. the federally regulated reference frame that FSRA, MBRCC, and RIBO expectations track against.
- PIPEDA statute (Justice Canada). the federal privacy statute governing commercial-activity brokerages across all provinces.
- Canadian Centre for Cyber Security guidance library. ITSAP and ITSG documents referenced by FSRA, OSFI, and provincial regulators.
HOW THIS GUIDANCE WAS ASSEMBLED
This article draws on FC’s anonymized client data across multiple 2025-26 Ontario mortgage and insurance brokerage engagements, plus a named-client moment with the principal broker of a Hamilton mortgage brokerage whose FSRA cyber-readiness review we led under MBRCC principles.
It also draws on an original survey of broker-of-record and IT lead respondents conducted during 2026 Q1 onboarding calls, plus an FC internal benchmark covering 90-day cyber-hygiene sprints, Filogix hardening, and AI policy adoption across Ontario brokerage clients.
Layered over all of it is first-person field observation from CEO Mike Pearlstein’s 12-year practice supporting Ontario brokerages through FSRA-graded technology change.
Frequently asked questions
How many cybersecurity principles did the MBRCC actually publish?
Four. The MBRCC Principles for Cybersecurity Preparedness for the Mortgage Brokering Sector cover Responsibility and Resourcing, Identification and Prevention of Risks, Incident Monitoring/Detection/Response, and Third-Party Management. FSRA adopted them via Guidance MB0048INF effective August 18, 2022. The “nine” in this post’s title refers to the nine implementation controls a 12-agent brokerage can decompose those four principles into, not to nine separate principles.
When does the FSRA IT Risk Management Guidance apply, and how does it relate to the MBRCC principles?
The FSRA IT Risk Management Guidance became effective April 1, 2024 and applies to mortgage brokers, agents, brokerages, and administrators (alongside other FSRA-regulated sectors). FSRA states that the guidance is consistent with the MBRCC Principles for Cybersecurity Preparedness.
The combined effect is that mortgage brokerages in Ontario operate under both frameworks: the MBRCC principles describe what good cybersecurity looks like, and the FSRA IT risk guidance adds an explicit 48-to-72-hour material-incident notification expectation routed through the IT Risk Incident Notification Form.
What is the FSRA incident notification window for mortgage brokerages?
The FSRA IT Risk Management Guidance expects regulated entities to notify FSRA “as soon as feasible, which would normally fall within the 48 to 72 hours range” once the entity determines an IT risk incident is material. The notification path is the IT Risk Incident Notification Form, submitted to [email protected] or through FSRA’s secure portal. The clock starts when the brokerage determines the incident is material, not at the moment the incident occurs.
What makes an incident “material” under the FSRA threshold?
FSRA’s guidance treats an incident as material when it could have a meaningful impact on the regulated entity, its customers, or the financial-services sector. For a mortgage brokerage the practical thresholds are: borrower SIN or T4 income data exposed, a lender-portal credential confirmed compromised, ransomware or extortionware on any device that holds deal files, or a service-disruption event that prevents the brokerage from meeting client commitments.
A written materiality test inside the IR plan removes the judgment delay during a live incident.
Can a 12-agent brokerage meet MBRCC Principle 4 without buying a third-party GRC platform?
Yes. For a brokerage of this size the Principle 4 evidence is a SharePoint folder of vendor attestations (SOC 2 reports, ISO 27001 certificates, or completed questionnaires) refreshed annually at the quarterly governance review. A GRC platform is operational sugar; it is not what the framework requires. The framework requires that the brokerage has reviewed each vendor, has documented its review, and can produce the documentation when asked.
Does Microsoft 365 Business Premium meet the MBRCC technical baseline on its own?
Roughly 80% of it. Business Premium bundles MFA enforcement, Conditional Access, Microsoft Entra ID P1, Intune for device management and patching, and Microsoft Defender for Business for endpoint detection. The two gaps are (a) immutable third-party backup of M365 data and (b) the documentary evidence trail itself. A 12-agent brokerage that adds a third-party M365 backup and runs the quarterly governance cadence covers the remaining 20%.
Where does borrower SIN data live for an Ontario mortgage brokerage, and which principle covers it?
Borrower SIN typically lives in three places: the deal-submission platform (Filogix Expert or Velocity), the document-signing service (DocuSign or Authentisign), and any agent-side spreadsheet or PDF stored in Microsoft 365. Principle 2 (Identification and Prevention) requires the brokerage to know which systems hold SIN. Principle 4 (Third-Party) covers the cybersecurity posture of the deal-submission platform and the signing service. A clean implementation keeps SIN out of agent-side spreadsheets entirely.
How does FINTRAC’s record-retention obligation interact with the MBRCC principles?
According to FINTRAC record-keeping guidance, mortgage brokerages that meet the reporting-entity threshold must retain records for at least five years from the date the record was created. That retention is a separate obligation from the MBRCC cybersecurity framework, but the practical implementation overlaps: the same Microsoft 365 retention policies that protect FINTRAC records also support MBRCC Principle 2 (Identification and Prevention) and the FSRA IT risk guidance’s evidence-preservation expectation.
A brokerage that runs a 7-year SharePoint retention label on its deal files lands both frameworks at once.
Is cyber liability insurance required under MBRCC Principle 1?
The principle requires the brokerage to “consider” cyber liability insurance, not to carry it. In practice, for a 12-agent brokerage handling borrower SIN and T4 income data, a CAD $1-2M cyber policy with first-party (recovery, notification, ransom) and third-party (regulatory action, customer claim) coverage runs CAD $2,500-5,000 annually. Cyber insurers will ask for evidence of MFA, EDR, backup, and a written IR plan before quoting. The MBRCC implementation evidence doubles as the cyber-insurance application package.
What’s the cleanest evidence package to walk into an FSRA examination with?
A single SharePoint folder containing: the 4-6 page brokerage cybersecurity policy with current dated signatures, the most recent four quarterly governance minutes, the device-and-portal inventory, the Conditional Access policy export from Microsoft Entra, and the most recent monthly patch-compliance report.
Add the most recent quarterly Defender for Business device report, the 1-page IR plan and the most recent annual tabletop minutes, the vendor-attestation library, and the most recent weekly backup-restore test log. Nine documents, refreshed on a known cadence.
Do these principles apply to a brokerage that operates only in Ontario, or also to multi-province brokerages?
The MBRCC Principles are a pan-Canadian framework, adopted by multiple provincial regulators including FSRA in Ontario and the Financial and Consumer Services Commission in New Brunswick. A brokerage that operates in multiple Canadian jurisdictions implements one consistent control set and maps it to each provincial adopter’s expectations. The FSRA IT Risk Management Guidance layer (with its 48-to-72-hour notification window) is Ontario-specific; other provinces may have different notification thresholds.
How does this work map to the broader brokerage cybersecurity playbook?
The MBRCC principles are the principle-level frame; the FSRA IT Risk Management Guidance is the operational layer that adds the notification window; the CCCS Baseline Controls are the technical baseline that satisfies most of Principles 1 and 2. Bring all three together in a single 12-week implementation and a 12-agent Ontario brokerage lands defensible. See our full MBRCC + RIBO + FSRA brokerage cybersecurity guide for the cluster-level playbook that includes the insurance-brokerage analogue.
Schedule Your Free MBRCC Readiness Review
Related Resources
- Cybersecurity for Ontario Financial Brokerages: FSRA-Aligned MBRCC + RIBO Playbook (2026)
- FSRA IT Risk Incident Notification Form: 15-Minute SOP for Brokerages
- The $875K FSRA Mortgage Brokerage Penalty: 2025-26 Enforcement Lessons
- Filogix and Velocity Account Hardening for Canadian Mortgage Brokers
- Cybersecurity Services for Canadian SMB
- PIPEDA Compliance for Canadian Small Business
Bottom line
The MBRCC framework is four principles, deliberately outcome-based, sized to fit a 12-agent brokerage that runs on Microsoft 365 Business Premium. Decomposed into nine implementation controls, the four principles produce a 12-week deployment plan with roughly CAD $50-100 per month in incremental tooling and a SharePoint folder of nine documents as the evidence package.
Pair this with the full MBRCC + RIBO + FSRA brokerage cybersecurity guide for the cluster-level frame that includes the insurance-brokerage analogue and the FSRA enforcement context.
