As noted previously on this blog, pension regulators have been working towards increasing guidance for pension plan administrators in relation to protecting pension plan information and records. The BC Financial Services Authority (FSA) issued drafts of its Information Security Guideline and its Outsourcing Guideline, invited consultation, and in October 2021, issued final versions of those guidelines, which can be found here and here. It has advised that the guidelines are considered to be in effect on September 30, 2022.
The guidelines provide direction for pension plan administrators on the standards that the FSA will expect in relation to the protection of pension plan information and the outsourcing of activities or functions. Each plan’s approach to the guidelines will depend on a number of factors including the structure of its record management, the degree to which activities or functions are outsourced to external service providers and the steps the administrator has already taken to address the security of its records.
In addition to the FSA’s guidelines, the Canadian Association of Pension Supervisory Authorities (CAPSA) has now issued its “Cyber Risk for Pension Plans” consultation draft guideline, which can be found here. CAPSA’s draft guideline link a pension plan’s administrator’s duty to protect plan information to its fiduciary duties owed to members, and that the expectation is that administrators will “incorporate the management and monitoring of cyber risk into the same governance and risk management frameworks used to assess and respond to other material risks to the plan.” Like the FSA guidelines, the CAPSA guideline provides examples of the types of controls that plan administrators should have in place to meet the challenge of protecting pension plan information as well as the kinds of inquiries that plan administrators should make of their service providers that have custody of plan records. The CAPSA guideline explains how these controls and inquiries should be incorporated into a plan’s governance risk management activities in order to property protect plan records and plan members’ interests.
The CAPSA draft guideline is open to comments until September 15, 2022. See the letter to stakeholders here for more information on how to provide comments.
The FSA guidelines and the CAPSA guideline are not surprising given the increased attention in recent years on cybersecurity risks for pension plans. These guidelines provide useful structure for a plan administrator to follow, though the structure of an information security system will need to reflect a pension plan’s unique circumstances including (for example), whether third parties hold the pension plan records and whether the plan administrator relies on the infrastructure of a plan sponsor such as an employer or a bargaining association. While there is no “one size fits all” answer, the guidelines make it clear that doing nothing and hoping for the best will fall below the standard expected by the pension regulators.
Lawson Lundell's Pension and Employee Benefits Law Blog provides updates on the most recent legal developments impacting pension and employee benefit plans. We cover a range of topics, including recent case law and changes to relevant provincial and federal legislation.
Legal Disclaimer: The information made available on this webpage is for information purposes only. It does not constitute legal advice, and should not be relied on as such. Please contact our firm if you need legal advice or have questions about the content of this webpage.