Navigating Risk in a Digital World: A Review of FSRA's Finalized Guidance on IT Risk Management
Information technology risk and cyber security risk have become prominent issues in recent years. Unsurprisingly, Canadian pension regulators have begun to issue policies on this topic.[1] Late last year, the Financial Services Regulatory Authority of Ontario (“FSRA”) released finalized Guidance on Information Technology (“IT”) Risk Management (“the FSRA Guidance”). This follows on the heels of the Office of the Superintendent of Financial Institutions’ (“OSFI”) draft Advisory on Technology and Cyber Security Incident Reporting (“the OSFI Advisory”). This Sidebar provides an overview of the new and upcoming regulatory guidance and outlines steps that administrators of Ontario and federally-registered pension plans will want to consider taking in order to comply with applicable requirements.
Overview
The FSRA Guidance applies to all sectors regulated by FSRA[2], including administrators of pension plans registered in Ontario, and will come into effect on April 1, 2024. Notably, FSRA expressly states that mitigating IT risks is a component of the fiduciary duties that a pension plan administrator owes to plan members.
The FSRA Guidance is designed to limit regulated entities’ exposure to IT risk, which FSRA has defined as “the risk of financial loss, operational disruption or damage, or reputational loss resulting from the inadequacy, disruption, destruction, failure, or damage by any means to a regulated entity or individual’s IT systems, infrastructure, and data.” This definition is expansive, requiring regulated entities to consider vulnerabilities caused by factors such as outdated or improperly managed technology, as well as risks associated with cyber security. As discussed in further detail below, the FSRA Guidance introduces reporting obligations when a material IT risk incident occurs.
While still in draft form, the OSFI Advisory addresses OSFI’s expectations with respect to reporting technology and cyber incidents that impact federally-regulated pension plans. OSFI has defined these as any incident that “has an impact, or the potential to have an impact on the operations of a federally regulated pension plan, including its confidentiality, integrity or the availability of its systems and information.” As with the FSRA Guidance, OSFI has adopted a broad definition of IT risk, which encapsulates risks created by faulty technology, as well as cyber security risks. Like the FSRA Guidance, the OSFI Advisory also creates reporting obligations when a technology or cyber incident occurs, which are summarized in greater detail below.
The release of the FSRA Guidance and the OSFI Advisory coincides with a broader regulatory interest in mitigating plan risks. Last summer, the Canadian Association of Pension Supervisory Authorities (“CAPSA”) released a draft policy, entitled Pension Plan Risk Management (the “draft CAPSA Guideline”).[3] The draft CAPSA Guideline identifies regulator expectations for plan administrators in addressing plan risks, including cyber risk. The FSRA Guidance notes that compliance with the FSRA Guidance will satisfy the draft CAPSA Guideline requirements on cyber risk for pension plans and in areas of inconsistency the FSRA Guidance will take priority.
The FSRA Guidance
At the outset, FSRA notes its expectation that regulated entities will comply with existing requirements related to managing IT risk (for example, obligations under the federal Personal Information Protection and Electronic Documents Act).[4]
The FSRA Guidance then sets out practices for effective IT risk management applicable to all regulated entities. FSRA will consider adherence to these practices and their desired outcomes when exercising its supervisory authority. The seven enumerated practices for effective IT risk management are as follows:
Practice 1: Governance – The regulated entity has proper governance and oversight of its IT risks. Clear responsibility for management of IT risks should be assigned to one or more individuals with sufficient seniority and expertise.
Practice 2: Risk management – The regulated entity relies on industry accepted practices (including the adoption of strategies and frameworks) to effectively manage IT risk.
Practice 3: Data management – The regulated entity uses industry accepted strategies to effectively manage and secure confidential data.
Practice 4: Outsourcing – The regulated entity effectively manages the IT risks associated with any outsourced or co-sourced activity, function, and service. This requires that appropriate due diligence be undertaken on service providers.
Practice 5: Incident preparedness – The regulated entity is prepared to effectively detect, log, manage, resolve, recover, monitor and report on IT incidents in a timely manner.
Practice 6: Continuity and resiliency – The regulated entity is prepared to ensure the continuity of their IT assets and their ability to deliver critical services during and following an incident.
Practice 7: Notification of material IT risk incidents – The regulated entity notifies FSRA in the event of a material IT risk incident.
With respect to Practice 7, FSRA expects regulated entities to report material IT risk incidents to FSRA as soon as possible (generally, within 72 hours). Notably, the FSRA Guidance does not define materiality. Regulated entities are to use their discretion to determine whether an IT risk incident is material. In relation to pension plan administrators, FSRA has indicated that an incident may be a material IT risk incident if it:
- disrupts the operations of a pension plan to an extent that the plan can no longer be effectively administered;
- compromises confidential plan member data;
- is likely to negatively affect other entities or individuals regulated by FSRA or is an incident that is likely to reoccur with other entities or individuals regulated by FSRA; or
- impacts the ability of the administrator to pay benefits.
FSRA has prepared an IT Risk Incident Notification Form, as well as a designated email address for reporting material risk incidents: ITriskinbox@fsrao.ca. Pension plan administrators may also advise FSRA of a material risk incident by contacting the plan’s Pension Officer.
The FSRA Guidance explicitly provides that pension plan administrators will be expected to demonstrate that they have considered the practices for effective risk management and adopted them into their risk management approach, in accordance with the size and nature of the plan and other relevant factors.
The OSFI Advisory
Although the OSFI Advisory is still in draft form, it also creates reporting obligations for pension plan administrators who experience a technology or cyber security incident. Pension plan administrators are expected to send an Incident Report to OSFI at pensions@osfi-bsif.gc.ca within 24 hours of discovering an incident. OSFI has indicated that failing to report a technology or cyber incident may result in a plan being subject to additional supervisory oversight.
OSFI has also indicated that it expects the requirement to notify OSFI to be incorporated into a federally-regulated pension plan’s risk management framework or resiliency plan.
Conclusion
Prior to the FSRA Guidance coming into force, administrators of Ontario registered pension plans will want to assess their internal IT risk management practices, as well as practices of their third-party service providers and determine whether any actions are required to bring activities or practices into compliance with the FSRA Guidance.
Many organizations oversee and manage pension plan IT risks as a component of their enterprise-wide processes and procedure. In light of the new Ontario regulatory guidance, plan administrators will want to consider whether to adopt pension plan-specific IT risk management governance policies incorporating incident reporting requirements and otherwise building off of enterprise-wide processes and procedure.
* * * * *
If you have any questions regarding this update please do not hesitate to call any of us – we’re here to help.
[1] The British Columbia Financial Services Authority was the first Canadian pension regulator to release a pension-related IT policy in 2021: Information Security Guideline.
[2] Other entities regulated by FSRA inter alia include credentialing bodies for financial planners and advisors, credit unions, mortgage brokers and agents, trust companies, and insurance providers.
[3] These three policies are also consistent with the United States Department of Labor's Employee Benefits Security Administration's Cybersecurity Program Best Practices, which notes that “plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.”
[4] Federal Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, proposes to amend PIPEDA, and enact legislation that will impact privacy obligations within private the sector.
This Sidebar client update provides general information and should not be relied upon as legal advice. This publication is copyrighted by Brown Mills Klinck Prezioso LLP and may not be reproduced in whole or in part in any form without the express written consent of Brown Mills Klinck Prezioso LLP. ©
