Federally Regulated Private Pension Plans: OSFI Draft Advisory on Technology and Cyber Security Incident Reporting

In April 2023, the Office of the Superintendent of Financial Institutions (“OSFI”) identified cyber risk as a major issue to be addressed in its Annual Risk Outlook – Fiscal Year 2023-2024. Consequently, OSFI recently released a draft advisory (“Draft Advisory”) for technology and cyber security incidents that affect federally regulated private pension plans (“FRPPs”).

The Draft Advisory sets out the responsibilities of FRPPs to address technology and cyber security incidents and OSFI’s expectations with respect to reporting such incidents.

Scope of Technology and Cyber Security Incidents and Criteria For Reporting

The Draft Advisory defines a “technology or cyber security incident” as “an incident that has an impact, or the potential to have an impact, on the operations of an FRPP, including its confidentiality, integrity or the availability of its systems and information”. In such incidents, OSFI requires the administrator of an FRPP to notify OSFI by filing the Technology and Cyber Incident Report for FRPPs (Incident Report) promptly and effectively. Note that the requirements differ from those imposed by federal privacy law.

Under the Draft Advisory, a reportable incident may have any one or more of the following characteristics:

  • Impact has potential consequences to other FRPPs or the Canadian financial system
  • Plan members or beneficiaries are affected (such as issues with pension payments or contribution remittances, or personal information being compromised)
  • Impact on employer operations, infrastructure, data, or systems that may result in the employer operations shutting down temporarily
  • Severe and extended disruptions to critical pension systems or operations
  • Pension fund investments operations are impaired
  • A disaster declaration has been made by a third-party vendor that affects the pension plan
  • A pension plan’s resiliency plan has been put into effect
  • A negative effect on the reputation of the plan administrator, employer or participating employers, and service providers is looming
  • Impact on a third party affecting the pension plan
  • An incident affecting the pension plan has been reported to the Board of Directors, Senior/Executive Management, or the Board of Trustees
  • An incident has been reported to (i) the Office of the Privacy Commissioner, (ii) another federal government department (such as the Canadian Centre for Cyber Security), (iii) other supervisory or regulatory organizations or agencies, (iv) any law enforcement agencies, (v) internal or external counsel, or (vi) plan members and beneficiaries
  • An incident for which a cyber insurance claim has been started that includes losses for the pension plan

The OSFI reporting requirement does not employ the test of “real risk of significant harm” that applies under Canadian federal privacy law. Therefore, separate privacy and OSFI analyses are required.

The Draft Advisory requires administrators to consult their lead supervisors when in doubt as to whether to report an incident or not.

Reporting Requirements

Administrators are expected to complete and send an Incident Report to OSFI within 24 hours of discovering an incident, or sooner if possible. Again, this differs from the requirement under Canadian federal privacy law. The report should be sent by email to pensions@osfi-bsif.gc.ca.

Where certain details are unknown at the time the Incident Report is completed, OSFI requires the administrator to note that the information is not yet available and provide estimates and available details on a best-efforts basis, including estimates of when additional information will become available. Until the incident is resolved, OSFI expects the administrator to provide situation updates, including any short-term and long-term remediation plans and actions taken. Following incident containment and resolution, the administrator is required to report to OSFI on its post-incident review and lessons learned.

Failure to report incidents as outlined in the Draft Advisory may increase a plan’s rating and result in additional supervisory oversight.

Comments on the Draft Advisory and Incident Reporting form should be provided no later than September 30, 2023. Until a final version of the form is available, FRPP administrators are expected to use the Incident Report to report any cyber or technology incidents to OSFI.

For more information concerning the Draft Advisory, please contact any member of our Financial Services Regulatory Group.