New FSRA guidance: Time for a governance check

On April 1st, the Financial Services Regulatory Authority of Ontario (“FSRA”) released final guidance on information technology (“IT”) risk management to strengthen protection against harmful IT risks for consumers. The guidance is applicable to all entities and individuals regulated by FSRA and outlines:

  • Practices for effective risk management
  • A process for regulated entities and individuals to notify FSRA in the event of a material IT risk incident
  • Sector-specific guidance including requirements for credit unions, Ontario-incorporated insurance companies and reciprocals, and pension plan administrators

IT risk represents a significant and growing threat to pension plan members. Risks can result from both internal (i.e., aging infrastructure, accidental breaches of security) and external (i.e., deliberate cyber breaches).

FSRA defines IT risk as the risk of financial loss, operational disruption or damage, or reputational loss resulting from the inadequacy, disruption, destruction, failure, or damage by any means to a regulated entity or individual’s IT systems, infrastructure, and data.  

Pension plan administrators (and other regulated entities) must comply with the existing requirements related to IT risk and the protection of personal information, including the requirements set out in the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”).

Practices for effective IT risk management

FSRA outlines seven industry-accepted practices for effective IT risk management. FSRA will consider adherence to these practices and their desired outcomes when exercising its supervisory authority.

Practice 1: Governance

The regulated entity or individual has proper governance and oversight of its IT risks.

Practice 2: Risk management

The regulated entity or individual relies on industry-accepted practices to effectively manage its IT risks.

Practice 3: Data management

The regulated entity or individual uses industry-accepted strategies to effectively manage and secure confidential data.

Practice 4: Outsourcing

The regulated entity or individual effectively manages the IT risks associated with any outsourced or co-sourced activity, function, and service.

Practice 5: Incident preparedness

The regulated entity or individual is prepared to effectively detect, log, manage, resolve, recover, monitor, and report on IT incidents in a timely manner.

Practice 6: Continuity and resiliency

The regulated entity or individual is prepared to ensure the continuity of their IT assets and their ability to deliver critical services during and following an incident.

Practice 7: Notification of material IT risk incidents

The regulated entity or individual notifies its regulator(s) in the event of a material IT risk incident.

Material IT risk incident – Pension plan administrators

Pension plan administrators are required to notify FSRA only when an IT risk incident is material. FSRA has indicated that, for pension plan administrators, the following are indicative that a material incident has occurred:

  • Disruption to the operations of the pension plan to an extent that the plan can no longer be effectively administered
  • Likely negative affect on other entities or individuals regulated by FSRA, or is likely to reoccur with other entities or individuals regulated by FSRA
  • Confidential plan member data has been compromised
  • Ability to pay benefits has been impacted

Pension plan administrators’ responsibility

Pension plan administrators are subject to fiduciary duties under common law as well as prescribed minimum standards in the Pension Benefits Act (“PBA”). The PBA requires administrators to act with the care, diligence and skill that a person of ordinary prudence would exercise when dealing with the property of another person. They must also use all relevant knowledge and skill that they possess or, by reason of their profession, business or calling, ought to possess.

In order to adequately protect plan members’ rights and benefits, and to effectively administer the pension plan and fulfill their fiduciary duties, pension plan administrators must also consider and mitigate IT risks.

FSRA has issued ‘Pension Plan Administrator Roles and Responsibilities Guidance’ to ensure pension plan administrators are aware of their roles and responsibilities. The guidance notes that administrators are responsible for implementing processes to ensure that plan risks are understood and addressed.

FSRA expects that pension plan administrators will be able to demonstrate that they have familiarized themselves with the industry-accepted practices for plan governance and have considered practices for effective IT risk management in accordance with the size and nature of the plan and other relevant factors.

As such, we encourage all pension plan administrators to:

  • Review and understand the recommendations put forth by FSRA’s guidance
  • Evaluate the pension plan’s existing governance framework as it relates to the pension plan’s IT risk management approach to identify areas of improvement in accordance with the guidance

At a minimum, the plan’s governance the framework should include:

  • documented approaches to IT risk management
  • seven practices for effective IT risk management
  • process for informing FSRA about IT risk incidents and how they have been addressed

Across Canada, pension legislation has been changing. It can be a complex web to navigate. We can help you make sense of it. Please reach out to your Eckler consultant to continue the conversation or visit our website to learn more about our governance solutions.