In April 2023, the Office of the Superintendent of Financial Institutions (“OSFI”) identified cyber risk as a major issue to be addressed in its Annual Risk Outlook – Fiscal Year 2023-2024. Consequently, OSFI recently released a draft advisory (“Draft Advisory”) for technology and cyber security incidents that affect federally regulated private pension plans (“FRPPs”).
The Draft Advisory sets out the responsibilities of FRPPs to address technology and cyber security incidents and OSFI’s expectations with respect to reporting such incidents.
Scope of Technology and Cyber Security Incidents and Criteria For Reporting
The Draft Advisory defines a “technology or cyber security incident” as “an incident that has an impact, or the potential to have an impact, on the operations of an FRPP, including its confidentiality, integrity or the availability of its systems and information”. In such incidents, OSFI requires the administrator of an FRPP to notify OSFI by filing the Technology and Cyber Incident Report for FRPPs (Incident Report) promptly and effectively. Note that the requirements differ from those imposed by federal privacy law.
Under the Draft Advisory, a reportable incident may have any one or more of the following characteristics:
- Impact has potential consequences to other FRPPs or the Canadian financial system
- Plan members or beneficiaries are affected (such as issues with pension payments or contribution remittances, or personal information being compromised)
- Impact on employer operations, infrastructure, data, or systems that may result in the employer operations shutting down temporarily
- Severe and extended disruptions to critical pension systems or operations
- Pension fund investments operations are impaired
- A disaster declaration has been made by a third-party vendor that affects the pension plan
- A pension plan’s resiliency plan has been put into effect
- A negative effect on the reputation of the plan administrator, employer or participating employers, and service providers is looming
- Impact on a third party affecting the pension plan
- An incident affecting the pension plan has been reported to the Board of Directors, Senior/Executive Management, or the Board of Trustees
- An incident has been reported to (i) the Office of the Privacy Commissioner, (ii) another federal government department (such as the Canadian Centre for Cyber Security), (iii) other supervisory or regulatory organizations or agencies, (iv) any law enforcement agencies, (v) internal or external counsel, or (vi) plan members and beneficiaries
- An incident for which a cyber insurance claim has been started that includes losses for the pension plan
The OSFI reporting requirement does not employ the test of “real risk of significant harm” that applies under Canadian federal privacy law. Therefore, separate privacy and OSFI analyses are required.
The Draft Advisory requires administrators to consult their lead supervisors when in doubt as to whether to report an incident or not.
Administrators are expected to complete and send an Incident Report to OSFI within 24 hours of discovering an incident, or sooner if possible. Again, this differs from the requirement under Canadian federal privacy law. The report should be sent by email to firstname.lastname@example.org.
Where certain details are unknown at the time the Incident Report is completed, OSFI requires the administrator to note that the information is not yet available and provide estimates and available details on a best-efforts basis, including estimates of when additional information will become available. Until the incident is resolved, OSFI expects the administrator to provide situation updates, including any short-term and long-term remediation plans and actions taken. Following incident containment and resolution, the administrator is required to report to OSFI on its post-incident review and lessons learned.
Failure to report incidents as outlined in the Draft Advisory may increase a plan’s rating and result in additional supervisory oversight.
Comments on the Draft Advisory and Incident Reporting form should be provided no later than September 30, 2023. Until a final version of the form is available, FRPP administrators are expected to use the Incident Report to report any cyber or technology incidents to OSFI.
For more information concerning the Draft Advisory, please contact any member of our Financial Services Regulatory Group.
Financial Services RegulatoryThe Canadian Securities Administrators (CSA) and the Office of the Superintendent of Financial Institutions (OSFI) have recently announced guidance concerning the holding of crypto assets.A public…
Financial Services Regulatory
FINTRAC Advisory Concerning Financial Transactions Related to High-Risk Countries Identified by FATFOn July 17, 2023, the Financial Transactions and Reports Analysis Centre (FINTRAC) issued an advisory (the “Advisory”) concerning financial transactions related to countries identified by the…
Financial Services Regulatory
Federally Regulated Private Pension Plans: OSFI Draft Advisory on Technology and Cyber Security Incident ReportingIn April 2023, the Office of the Superintendent of Financial Institutions (“OSFI”) identified cyber risk as a major issue to be addressed in its Annual Risk Outlook – Fiscal Year…
Financial Services RegulatoryIn Budget 2023, the Government of Canada announced its intentions to strengthen measures to protect financial institutions from foreign interference and efficiently address emerging risks to Canada’s…
Financial Services Regulatory
Government of Canada Commences Consultation on Strengthening Canada’s Anti-Money Laundering and Anti-Terrorist Financing RegimeThe Government of Canada has launched a public consultation to consider ways to improve Canada’s anti-money laundering and anti-terrorist financing regime (the “AML/ATF Regime”). A Consultation Paper…
Banking and Financial ServicesThe Office of the Superintendent of Financial Institutions (OSFI) has released its Guideline B-10 – Third-Party Risk Management (“Guideline”) for all federally regulated financial institutions…
Mergers and AcquisitionsGoodmans LLP acted for Amp Solar Group in connection with Amp Energy’s innovative $350 million cross-jurisdictional credit facility with a consortium of leading institutional investors including…
News & Events
- 06:30 PM Financial Services RegulatoryOn the 8th of December 2022, The Canadian Securities Administrators (CSA) and the Investment Industry Regulatory Organization of Canada (IIROC) published a Joint Staff Notice 23-329 on Short Selling…