The British Columbia Financial Services Authority (BCFSA) protects the interests of pension plans and the rights of pension plan beneficiaries using a risk-based regulatory framework. In June 2021, the BCFSA released a revised draft of their new Information Security and Outsourcing Guidelines (the “Guidelines”), which discusses the roles and responsibilities of financial institutions and pension plan administrators for protecting data and network systems and BCFSA’s expectations for the management of these risks. As the Guidelines are still under consultation, no effective date has been provided at this time.
Key Points for Pension Plans:
- Pension plan administrators, as defined in the plan text, are ultimately responsible for the information security of the pension plan. For multi-employer arrangements, this means that the pension plan administrator is the Board of Trustees.
- Pension plan administrators are now included in the Outsourcing Guideline. BCFSA has stated that the principles outlined in the Outsourcing Guideline also apply to pension plan administrators. This means that pension plan administrators must review their outsourced service providers that could have a material impact on information security or the operation of network systems.
- Plan policies must protect against unauthorized or accidental exposure of data or impairment of network systems.
- Major incidents of security breaches or network system failures must be reported to BCFSA within 72 hours of the event or when the event is recognized as a major incident, whichever is earlier.
Potential Update to Governance Documents:
While we recommend pension plan administrators review the final Guidelines in their entirety when they are finalized, the following section covers the main expectations the BCFSA has for pension plan administrators to comply with the Guidelines.
“Pension Plan Administrators should ensure the written governance policy recognizes information security as a material risk and:
- Sets out structures, processes and controls for overseeing, managing, and administering information security;
- Explains what those structures, processes and controls are intended to achieve;
- Identifies all participants who have authority to make decisions in respect to those structures, processes and controls and describes the roles, responsibilities, and accountabilities of those participants; and
- Establishes an ongoing process to identify the educational requirements and skills necessary for the administrator to perform his or her duties in relation to information security.”
BCFSA Information Security Guideline (June 2021 Draft), page 5
Once the governance policy has been updated to meet the above requirement, the Guidelines should not impact day to day operations of pension plans within BC jurisdiction. However, the Guidelines will promote better governance of cybersecurity among pension plans and ensure action plans are in place if a security breach occurs. PBI will continue to consult with BCFSA as the Guidelines are finalized and provide notice when the effective date is confirmed.