In April 2023, the Office of the Superintendent of Financial Institutions (“OSFI”) identified cyber risk as a major issue to be addressed in its Annual Risk Outlook – Fiscal Year 2023-2024. Consequently, OSFI recently released a draft advisory (“Draft Advisory”) for technology and cyber security incidents that affect federally regulated private pension plans (“FRPPs”).
The Draft Advisory sets out the responsibilities of FRPPs to address technology and cyber security incidents and OSFI’s expectations with respect to reporting such incidents.
Scope of Technology and Cyber Security Incidents and Criteria For Reporting
The Draft Advisory defines a “technology or cyber security incident” as “an incident that has an impact, or the potential to have an impact, on the operations of an FRPP, including its confidentiality, integrity or the availability of its systems and information”. In such incidents, OSFI requires the administrator of an FRPP to notify OSFI by filing the Technology and Cyber Incident Report for FRPPs (Incident Report) promptly and effectively. Note that the requirements differ from those imposed by federal privacy law.
Under the Draft Advisory, a reportable incident may have any one or more of the following characteristics:
Impact has potential consequences to other FRPPs or the Canadian financial system
Plan members or beneficiaries are affected (such as issues with pension payments or contribution remittances, or personal information being compromised)
Impact on employer operations, infrastructure, data, or systems that may result in the employer operations shutting down temporarily
Severe and extended disruptions to critical pension systems or operations
Pension fund investments operations are impaired
A disaster declaration has been made by a third-party vendor that affects the pension plan
A pension plan’s resiliency plan has been put into effect
A negative effect on the reputation of the plan administrator, employer or participating employers, and service providers is looming
Impact on a third party affecting the pension plan
An incident affecting the pension plan has been reported to the Board of Directors, Senior/Executive Management, or the Board of Trustees
An incident has been reported to (i) the Office of the Privacy Commissioner, (ii) another federal government department (such as the Canadian Centre for Cyber Security), (iii) other supervisory or regulatory organizations or agencies, (iv) any law enforcement agencies, (v) internal or external counsel, or (vi) plan members and beneficiaries
An incident for which a cyber insurance claim has been started that includes losses for the pension plan
The OSFI reporting requirement does not employ the test of “real risk of significant harm” that applies under Canadian federal privacy law. Therefore, separate privacy and OSFI analyses are required.
The Draft Advisory requires administrators to consult their lead supervisors when in doubt as to whether to report an incident or not.
Reporting Requirements
Administrators are expected to complete and send an Incident Report to OSFI within 24 hours of discovering an incident, or sooner if possible. Again, this differs from the requirement under Canadian federal privacy law. The report should be sent by email to pensions@osfi-bsif.gc.ca.
Where certain details are unknown at the time the Incident Report is completed, OSFI requires the administrator to note that the information is not yet available and provide estimates and available details on a best-efforts basis, including estimates of when additional information will become available. Until the incident is resolved, OSFI expects the administrator to provide situation updates, including any short-term and long-term remediation plans and actions taken. Following incident containment and resolution, the administrator is required to report to OSFI on its post-incident review and lessons learned.
Failure to report incidents as outlined in the Draft Advisory may increase a plan’s rating and result in additional supervisory oversight.
Comments on the Draft Advisory and Incident Reporting form should be provided no later than September 30, 2023. Until a final version of the form is available, FRPP administrators are expected to use the Incident Report to report any cyber or technology incidents to OSFI.
On November 18, 2024, the Financial Transactions and Reports Analysis Centre (FINTRAC) issued an updated advisory (the “Advisory”) concerning financial transactions related to countries identified by…
On October 15, 2024, the Office of the Superintendent of Financial Institutions (OSFI) published its annual report for the fiscal year from April 1, 2023 to March 31, 2024 (the “Annual Report”), which…
On September 26, 2024, the CSA provided a further update for crypto asset trading platforms (CTPs) that are registered, or that have provided a pre-registration undertaking (PRU), on the interim…
Not only has the summer flown by, but Halloween is six weeks away. That means payment service providers (PSPs) have six weeks to prepare for the November 1st opening of the two-week window for…
The Canadian Securities Administrators (CSA) recently published CSA Staff Notice 93-302 Frequently Asked Questions About National Instrument 93-101 Derivatives: Business Conduct (FAQs), which…
On August 2, 2024, the Financial Transactions and Reports Analysis Centre (FINTRAC) issued an updated advisory (the “Advisory”) concerning financial transactions related to countries identified…
Goodmans LLP acted for Amp Solar Group in connection with Amp Energy’s innovative $350 million cross-jurisdictional credit facility with a consortium of leading institutional investors including…
On the 8th of December 2022, The Canadian Securities Administrators (CSA) and the Investment Industry Regulatory Organization of Canada (IIROC) published a Joint Staff Notice 23-329 on Short Selling…
