On April 1, 2024, the Financial Services Regulatory Authority of Ontario (FSRA) Information Technology Risk Management Guidance ("the Guidance") became effective. The Guidance is applicable to all entities and individuals regulated by FSRA including pension plan administrators.
Pension plan administrators must consider whether their existing cybersecurity and/or IT risk management policies currently comply with the Guidance or whether updates are necessary. The guidance imposes additional obligations from those already required by other legislation related to the privacy of personal information, such as the Personal Information Protection and Electronic Documents Act.
IT Risk
The Guidance defines "IT risk" broadly as including the risk of financial loss, operational disruption or damage, or reputational loss resulting from the inadequacy, disruption, destruction, failure, or damage by any means to IT systems, infrastructure, and data.
Principles Based Guidance
The Guidance outlines the practices that pension plan administrators will need to consider and implement and follow to manage IT risks. The practices pertain to the areas of governance, risk management, data management, outsourcing, incident preparedness, continuity and resiliency and the notification of material IT risk incidents.
Material IT Risk Incident
The Guidance requires that pension plan administrators advise FSRA where there has been a material IT risk incident, through a prescribed form as soon as reasonable after determining that an IT risk incident is material, typically within 72 hours. What determines a "material IT risk incident" in respect of a pension plan is largely related to the impacts on the pension plan. A material IT risk will disrupt the operations of the pension plan such that it cannot be effectively administered, will negatively affect other entities regulated by FSRA, will compromise confidential plan member data, and/or will impact the ability to pay benefits.
Fiduciary Obligations
The Guidance reminds administrators that the mitigation and response to IT risks are encompassed in the existing fiduciary duties of plan administrators. The Guidance indicates that FSRA may consider IT risks in its assessment of potential risks impacting a pension plan and in doing so would assess whether a pension plan administrator can demonstrate:
(i) that they have familiarized themselves with industry accepted practices, including CAPSA guidelines (final guidelines are forth coming) and
(ii) that they have considered the practices and desired outcomes as set out in this Guidance, in its supervision of pension plans' risk management processes.
Key Takeaways
Pension Plan Administrators should review whether their policies and practices effectively respond to IT related risks and comply with the Guidance, in addition to ensuring compliance with privacy legislation as previously required. Revising policies and procedures to respond to IT risks and prevent future material risk incidents will demonstrate that plan administrators have complied with the Guidance and considered the practices for effective IT risk management.
Originally published by 17 May, 2024
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.