The Association of Canadian Pension Management is urging the Financial Services Regulatory Authority of Ontario to apply a best practices approach for the pension sector in its information technology risk management guidance.
In an open letter to the FSRA, the ACPM said a real-time reporting framework for material IT risk incidents could result in a diversion of resources away from incident management and create additional risk through the sharing of sensitive information. It also noted the resourcing and coordination associated with such reporting may be particularly burdensome for smaller, single-employer pension plans.
Read: ACPM advises CAPSA against one-size-fits-all approach to ESG, cybersecurity risk management
The guidance also stated pension administrators must inform the FSRA of a material IT risk incident or risk breaching their fiduciary duty as set out in the Pension Benefits Act, a requirement the ACPM described as “overly stringent.”
“Whether or not there has been a breach of fiduciary duty requires an analysis of all relevant facts in a given situation,” wrote Ric Marrero, chief executive officer of the ACPM, in the letter. “Administrators, in their fiduciary capacity, are already accountable to have appropriate governance, risk management and data management frameworks that encompass the risks associated with information technology and the management of confidential or personal data and information, including where this is subject to delegation or service agreements with third parties.”
Read: ACPM cautions OSFI against one-size-fits-all approach to risk management