As Canada’s federal government doubles down on competitiveness and innovation through Budget 2025, insurers may find themselves with more room to modernize. The budget’s tax and policy measures – including expanded support for digital transformation and R&D – are expected to help financial institutions invest in efficiency and resilience. Some industry experts say these incentives could make it easier for insurers to strengthen their systems, automate processes, and build the kind of operational agility regulators now expect.
That expectation was underscored recently by Jacqueline Friedland (pictured centre left), executive director of the risk assessment and intervention hub at the Office of the Superintendent of Financial Institutions (OSFI). Speaking at the AM Best conference, she said the regulator’s new mantra is simple: operational resilience is financial resilience.
For Canada’s insurance sector, the era of treating technology, cyber, and operational failures as “non-financial” risks is over, she said.
“Canada’s financial system is facing a convergence of complex risks – from geopolitical and cyber threats to natural catastrophes, auto insurance reform and elevated credit risk,” she said. “Non-financial risks are no longer peripheral risks. Instead, we recognize that they are core drivers of financial and operational resilience.”
That statement reflects a regulator moving decisively toward integrated supervision. OSFI’s semi-annual update to its Annual Risk Outlook, released in October, highlights the same shift. “Our mandate and prudential framework are focused on both financial and operational resilience, as well as integrity and security, including national security,” Friedland said.
The goal, she emphasized, is balance – between safety and sensible risk-taking. “We expect federally regulated financial institutions to be resilient and prepared to manage the risk they face,” she said. That means recognizing that risk-taking is not only permitted but expected, provided governance keeps pace with complexity.
Friedland described OSFI’s evolving supervisory posture as guided by one principle: “Always be advancing.”
The phrase, attributed to Superintendent Peter Routledge, captures the regulator’s effort to be more agile, targeted, and transparent in how it assesses threats. “Our actions will be deliberate, focused, and strategic, mindful that resilience in the financial system is essential to a strong economy,” she said.
Friedland’s most practical contribution to the discussion came in the form of eight “best practices” drawn from OSFI’s Technology Risk Division and Operational Risk Division. They amount to a checklist for every insurer’s board and executive team.
Together, the eight points read like a blueprint for resilience by design – a system in which governance, technology, and testing converge into measurable outcomes rather than paperwork.
OSFI’s approach to supervision increasingly focuses on outcomes: can institutions demonstrate, with data and scenarios, that their controls actually work? The regulator no longer treats cyber, data integrity, or continuity as technical issues. They are systemic, affecting solvency, liquidity, and public confidence.
The expectation now is that firms can show proof of resilience – not intentions. That extends to their vendors and third parties: asset managers, MGAs, and cloud providers are all part of the operational-resilience perimeter.
“Our actions,” Friedland said, “will be deliberate, focused, and strategic.”
For insurers, that means embedding operational resilience into every line of defense – and treating downtime the same way they treat capital shortfalls: as a failure of management, not just of systems.
