Information technology risk has become a more prevalent concern in recent years, so it comes as no surprise that Canadian pension regulators are focused on ensuring that plan administrators manage this risk effectively.
IT risk is associated with an entity’s IT infrastructure as a whole, including risk caused by error or malfunction, as well as risk caused by external actors seeking to compromise an entity’s IT system. It can also include risks that an entity experiences because of vulnerabilities in its service provider’s IT system.
Pension plans are particularly vulnerable to IT risk. They often hold significant assets and confidential member data, which can make them attractive targets for cyberattacks. Failures in a plan sponsor’s IT system increase the likelihood of a cyberattack occurring and can compromise a pension plan administrator’s ability to effectively manage the plan and pay out benefits.
Canadian pension regulators have begun to issue regulatory policy on this topic. In 2021, the British Columbia Financial Services Regulatory Authority released a guideline on information security for administrators of pension plans registered in B.C. The guideline identifies the BCFSA’s expectations with respect to how pension plan administrators monitor for and address risk, including integrating references to IT risk into the plan’s governance policy.
The guideline also provides that pension plan administrators must report “material incidents” to the BCFSA within 72 hours of the incident. Notably, plan administrators are responsible for determining whether an IT risk incident is sufficiently material to warrant reporting. The guideline sets out considerations that pension plan administrators can use to make this determination, which include factors such as impact on regular operations and confidential information.
Read: Climate, cybersecurity risks increasing for federally regulated pension plans: OSFI outlook
Late last year, the Financial Services Regulatory Authority of Ontario issued comprehensive guidance on IT risk management, which will come into force on April 1, 2024. The guidance sets out seven practices for effective IT risk management, which are meant to ensure that FSRA-regulated entities, including pension plan administrators, follow industry-accepted practices for monitoring and addressing IT risk. For example, the practices contemplate integrating IT risk management into a plan’s governance structure and building resiliency in order to respond effectively to IT risk incidents.
Notably, one of the practices creates an obligation to report “material risk incidents” to the FSRA as soon as possible, generally, within 72 hours of the incident occurring. The guidance doesn’t define what constitutes a material risk incident — pension plan administrators must use their discretion to determine whether a risk incident is material. The guidance states that material risk incidents can include incidents that cause a serious disruption to a pension plan’s operations or compromise plan members’ data.
Read: CAPSA’s risk management guideline adaptable to changes in cybersecurity, ESG: webinar
The Office of the Superintendent of Financial Institutions has also released a draft advisory that sets out regulator’s expectations for administrators of federally regulated pension plans with respect to reporting IT risk incidents. It states plan administrators must report IT risk incidents to the OSFI within 24 hours of the incident occurring. Like the BCFSA and the FSRA, the OSFI’s advisory provides that the plan administrator must use their discretion in determining whether an IT risk incident is reportable. Generally, an incident is considered reportable if it impacts a pension plan’s operations or compromises confidential information.
In addition to this jurisdiction-specific guidance, the Canadian Association of Pension Supervisory Authorities released a draft pension plan risk management policy, including cyber risk. The draft policy states that plan administrators should monitor and manage cyber risk, as well as develop resiliency strategies to recover from IT risk incidents. The policy is designed to be scalable and plan administrators are encouraged to develop risk management measures that are appropriate to the circumstances of the pension plan.
It will be critical for federally and provincially regulated pension plan administrators to stay abreast of regulatory developments, to ensure that they maintain compliance with applicable regulatory requirements.
Lauren Graham is an associate at Brown Mills Klinck Prezioso LLP