Federally Regulated Private Pension Plans: OSFI Draft Advisory on Technology and Cyber Security Incident Reporting
In April 2023, the Office of the Superintendent of Financial Institutions (“OSFI”) identified cyber risk as a major issue to be addressed in its Annual Risk Outlook – Fiscal Year 2023-2024. Consequently, OSFI recently released a draft advisory (“Draft Advisory”) for technology and cyber security incidents that affect federally regulated private pension plans (“FRPPs”).
The Draft Advisory sets out the responsibilities of FRPPs to address technology and cyber security incidents and OSFI’s expectations with respect to reporting such incidents.
Scope of Technology and Cyber Security Incidents and Criteria For Reporting
The Draft Advisory defines a “technology or cyber security incident” as “an incident that has an impact, or the potential to have an impact, on the operations of an FRPP, including its confidentiality, integrity or the availability of its systems and information”. In such incidents, OSFI requires the administrator of an FRPP to notify OSFI by filing the Technology and Cyber Incident Report for FRPPs (Incident Report) promptly and effectively. Note that the requirements differ from those imposed by federal privacy law.
Under the Draft Advisory, a reportable incident may have any one or more of the following characteristics:
- Impact has potential consequences to other FRPPs or the Canadian financial system
- Plan members or beneficiaries are affected (such as issues with pension payments or contribution remittances, or personal information being compromised)
- Impact on employer operations, infrastructure, data, or systems that may result in the employer operations shutting down temporarily
- Severe and extended disruptions to critical pension systems or operations
- Pension fund investments operations are impaired
- A disaster declaration has been made by a third-party vendor that affects the pension plan
- A pension plan’s resiliency plan has been put into effect
- A negative effect on the reputation of the plan administrator, employer or participating employers, and service providers is looming
- Impact on a third party affecting the pension plan
- An incident affecting the pension plan has been reported to the Board of Directors, Senior/Executive Management, or the Board of Trustees
- An incident has been reported to (i) the Office of the Privacy Commissioner, (ii) another federal government department (such as the Canadian Centre for Cyber Security), (iii) other supervisory or regulatory organizations or agencies, (iv) any law enforcement agencies, (v) internal or external counsel, or (vi) plan members and beneficiaries
- An incident for which a cyber insurance claim has been started that includes losses for the pension plan
The OSFI reporting requirement does not employ the test of “real risk of significant harm” that applies under Canadian federal privacy law. Therefore, separate privacy and OSFI analyses are required.
The Draft Advisory requires administrators to consult their lead supervisors when in doubt as to whether to report an incident or not.
Reporting Requirements
Administrators are expected to complete and send an Incident Report to OSFI within 24 hours of discovering an incident, or sooner if possible. Again, this differs from the requirement under Canadian federal privacy law. The report should be sent by email to pensions@osfi-bsif.gc.ca.
Where certain details are unknown at the time the Incident Report is completed, OSFI requires the administrator to note that the information is not yet available and provide estimates and available details on a best-efforts basis, including estimates of when additional information will become available. Until the incident is resolved, OSFI expects the administrator to provide situation updates, including any short-term and long-term remediation plans and actions taken. Following incident containment and resolution, the administrator is required to report to OSFI on its post-incident review and lessons learned.
Failure to report incidents as outlined in the Draft Advisory may increase a plan’s rating and result in additional supervisory oversight.
Comments on the Draft Advisory and Incident Reporting form should be provided no later than September 30, 2023. Until a final version of the form is available, FRPP administrators are expected to use the Incident Report to report any cyber or technology incidents to OSFI.
For more information concerning the Draft Advisory, please contact any member of our Financial Services Regulatory Group.
Authors
Insights
-
Financial Services Regulatory
Canadian Securities Administrators Extend Compliance Deadline in Interim Approach to Value-Referenced Crypto Assets
On April 17, 2024, the Canadian Securities Administrators (CSA) provided an update to their interim approach in respect of “Value-Referenced Crypto Assets” (VRCAs), as set out in the CSA’s guidance in… -
Financial Services Regulatory
Obligations and Opportunity - Budget 2024’s Impact on the Blockchain Industry
As crypto-assets become subject to further regulation both domestically and globally, industry players find themselves presented not only with new obligations but also with new opportunities. Canada’s… -
Financial Services Regulatory
Budget 2024 Announces Additional Measures to Combat Financial Crime
In Budget 2024, the Government of Canada announced its intentions to amend the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), the Criminal Code, the Income Tax Act, and… -
Financial Services Regulatory
OSFI Releases New Framework to Modernize Financial Supervision
On February 8, 2024, the Office of the Superintendent of Financial Institutions (OSFI) announced a new framework (the “Framework”) for supervising federally regulated financial institutions (FRFIs… -
Financial Services Regulatory
The Bank of Canada Opens Consultation for Supervisory Guidelines
The Bank of Canada continues preparations for its supervision of payment service providers (PSPs) under the Retail Payment Activities Act (RPAA). The Bank has published draft supervisory guidelines… -
Financial Services Regulatory
Bank of Canada publishes guidance for registration under the Retail Payment Activities Act
As the November 1 – 15, 2024 window for registration of payment services providers (“PSPs”) approaches, the Bank of Canada (the “Bank”) has published guidance for PSPs determining: (i) whether the…
Featured Work
-
Mergers and Acquisitions
Amp Energy’s Innovative $350 Million Cross-Jurisdictional Credit Facility
Goodmans LLP acted for Amp Solar Group in connection with Amp Energy’s innovative $350 million cross-jurisdictional credit facility with a consortium of leading institutional investors including…
News & Events
-
- 06:30 PM Financial Services Regulatory
Francesca Guolo at Joint Staff Notice 23-329 on Short Selling in Canada
On the 8th of December 2022, The Canadian Securities Administrators (CSA) and the Investment Industry Regulatory Organization of Canada (IIROC) published a Joint Staff Notice 23-329 on Short Selling…