On March 25, 2025, the British Columbia Financial Services Authority (BCFSA), the regulator of provincially regulated financial institutions (PRFI's), including provincially registered pension plans, released an information security guideline specific to pension plan administrators (the Pension Plan IS Guideline).
The BCFSA previously released an information security guideline for all PRFI's, including pension plan administrators, in 2021 (the 2021 IS Guideline). At that time, the BCFSA received comments from pension stakeholders that the 2021 IS Guideline did not account for the unique circumstances, mandates and resources of pension plans as compared to other PRFI's regulated by the BCFSA. As a result, in 2024, a multi-phased consultation on a draft standalone guideline for pension plans was conducted by the BCFSA with the final version being released on March 25, 2025.
The Pension Plan IS Guideline begins with an important reminder to pension plan administrators that information security risk includes the "unauthorized, illegal or accidental use, disclosure, access to, modifications or destruction of data or impairment of network systems (collectively referred to as information security incidents), which can cause serious harm to pension plan members." The Pension Plan IS Guideline also highlights that information security risks may arise from employees, consultants or external threat actors.
Similar to the 2021 IS Guideline, the Pension Plan IS Guideline requires pension plan administrators to ensure their written governance policy recognizes information security as a material risk. This is important as the British Columbia Pension Benefits Standards Regulation requires administrators of pension plans to establish a governance policy that identifies material risks and establishes internal controls to manage those risks.1
The Pension Plan IS Guideline also states that pension plan administrators are expected to establish and document an effective Information Security Risk Management Program. An effective Information Security Risk Management Program should:
- Identify the information security risks to systems, people, assets, data, and capabilities;
- Protect data and systems in a reasonable and appropriate manner using physical and logical security measures;
- Detect information security incidents rapidly by establishing monitoring processes and periodically evaluating the effectiveness of the identified controls;
- Respond to information security incidents, including by informing plan beneficiaries and members of material incidents; and,
- Recover by developing and implementing appropriate activities to maintain plans for resilience, restoring capabilities or service and complying with applicable legislation.
The Pension Plan IS Guideline requires pension plan administrators to report a material incident to the BCFSA within 24 hours of determining that an information security incident was material. To assist pension plan administrators, the appendices to the Pension Plan IS Guideline provide directions to determine if an information security incident is "material," which includes consideration of both the nature of the incident and the impact on members, users, consumers or the general public. A written report of any material incident is required to be provided to the BCFSA as soon as possible, but within 72 hours, and the appendices also detail the information that must be contained therein.
The Pension Plan IS Guideline establishes minimum expectations pension plan administrators are expected to implement as part of the controls and safeguards that correspond with the nature, potential impact and likelihood of risk to their plans. The Penson Plan IS Guideline is effective as of July 1, 2025. Before this time, pension plans are expected to continue to comply with the 2021 IS Guideline.
The Pension Plan IS Guideline also requires pension plan administrators to demonstrate that they have familiarized themselves with industry accepted practices for plan governance, including the applicable guidelines from the Canadian Association of Pension Supervisory Authorities (CAPSA). Please see our insight regarding the new CAPSA Guideline No. 10: Guideline for Risk Management for Plan Administrators for more information.
Footnote
1 Pension Benefits Standards Regulation, BC Reg 71/2015 at s. 50.
About Dentons
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.
