BCFSA recently released its final Information Security Guideline for Pension Plan Administrators. The new Guideline will come into effect on July 1, 2025.
This new Guideline is specifically for pension plan administrators in British Columbia and will replace the 2021 Information Security Guideline for Provincially Regulated Financial Institutions that broadly applies to all provincially regulated financial institutions (e.g. credit unions, insurance companies). The new Guideline is intended to address feedback from the BC pension industry that the 2021 Guideline did not satisfactorily take into account the unique circumstances, mandate and resources of pension plans, as compared to the other sectors regulated by BCFSA.
Like the 2021 Guideline, the new Guideline sets out BCFSA’s expectations in relation to information security - but with a focus on pension plans - including:
- Maintaining a risk management program;
- Identifying the information security risks in respect of systems, people, assets, data and capabilities;
- Protecting data and systems in light of the sensitivity and value of the data and information;
- Establishing monitoring processes to detect information security incidents;
- Developing response and recovery processes; and
- Communicating with the BCFSA about “material” information security incidents.
However, pension plan administrators should note that the new Guideline also introduces more prescriptive expectations than the 2021 Guideline, including:
- Administrators are expected to demonstrate that they have familiarized themselves with CAPSA guidelines, including the CAPSA Guideline on Pension Plan Governance.
- Administrators are expected to inform plan beneficiaries and members about “material” incidents that have an impact on benefits, financial or personal interests. The new Guideline also provides greater clarity about what BCFSA will view as a “material” incident.
- The new Guideline is more prescriptive about an administrator’s reporting requirements in the event of a material information security incident, including specific timelines for reporting. It also specifies that administrators are expected to inform BCFSA of material incidents originating with any third-party service providers (and not just those originating with the administrator).
As noted in our prior blog post, BCFSA released a draft of the new Guideline in July 2024 for consultation. The final version has minimal substantive changes from the draft version.
We encourage pension plan administrators to review the new Guideline and take any steps required to ensure compliance with the Guideline by July 1, 2025. Please reach out to any member of our Pension and Employee Benefits Group for more information.