Pension plan sponsors must effectively employ care, diligence and skill when facing cybersecurity threats, said Sandeep Kakan, board trustee and secretary at the Canada-Wide Industrial Pension Plan, during a session at the Canadian Investment Review’s 2023 Defined Benefit Investment Forum in December.
Cybersecurity concerns are rising in the aftermath of the MOVEit hack, which compromised the information of more than 2,000 organizations, including plan sponsors. In Ontario, the Financial Services Regulatory Authority of Ontario’s Pensions Benefits Act requires plan sponsors to ensure a certain standard of digital information protections.
Read: Climate, cybersecurity risks increasing for federally regulated pension plans: OSFI outlook
“The takeaway from the act is that in order to adequately protect plan members’ rights and benefits, administrators also must make sure and mitigate [information technology] risks.”
Canadian regulators have increasingly taken the threats of cybersecurity more seriously, said Kakan, noting the FSRA has placed an emphasis on IT risks to promote the protection of pension benefits and the rights of plan members. “Through the information section, FSRA also lays out seven practices for effective IT risk management based on national and international standards that pension plans would be well advised to follow.”
Read: OSFI’s draft pension cybersecurity standard may lead to duplication, increased risk: ACPM
The CWIPP, which is currently conducting a risk assessment of its service providers, requires its employees and workers to certify acknowledgement of its data integrity policy. It also recently pursued an insurance policy for cybersecurity coverage, which covers cyberextortion and ransomware, said Kakan. The policy, which protects “data holstered on a third-party network like the cloud,” also covers data restoration and remediation, loss of business revenue, regulatory proceedings coverage and liability coverage for invasion of privacy rights and virus transmission.
During the session, Kakan also outlined the CWIPP’s protocol for dealing with a cybersecurity risk scenario. The first step is to cut unauthorized access by a system shutdown and recovery process. Depending on the opinion of the legal counsel available, the plan sponsor would then inform privacy commissioners and complete a breach report form under the Personal Information Protection and Electronic Documents Act. In this scenario, the board chair would then inform the insurer of the threat. Records of the incident would be maintained for 24 months and then made available if a request is filed.
“The results of the breach investigation and related plans should be put on the agenda for the board trustees at the next meeting.”
Read more coverage of the 2023 Defined Benefit Investment Forum.