The British Columbia Financial Services Authority (“BCFSA”) aims to protect sensitive information for plan members by enforcing safety and establishing guidelines for pension plans to mitigate information security risks through best business practices. In March 2025, the BCFSA released an advisory to all BC pension plan administrators (“PPAs”) about a new guideline on Information Security, which seeks to better reflect the specific regulatory requirements for PPAs. This new guideline follows the prior release of an Information Security Guideline for Provincially Regulated Financial Institutions issued in 2021, which became effective in September 2022. The new guideline will come into force on July 1, 2025, and until then, the prior guideline remains in effect.

Background:

The BCFSA undertook a 60-day public consultation prior to drafting the revised Information Security guideline and established a B.C. Pension Plan Administrators Technical Working Group (“TWG”) comprised of a diverse group of administrators, actuaries and lawyers. PBI formed a part of this working group to provide initial feedback on the revised guideline. Together, the new guideline was created to promote more consistency and streamline expectations among PPAs.

As a general reminder, information security risks include the unauthorized, illegal, or accidental use, sharing, access, change, or destruction of data, or damage to network systems. These events—called information security incidents—can seriously harm pension plan members. With advancements in technology and as data privacy becomes more digitized, greater measures are needed to safeguard sensitive information from breaches and other information security incidents.

Key Points:

The new guideline:

1. Outlines and establishes the minimum standards and expectations specifically for PPAs and replaces the prior guideline, which applied to multiple segments of the financial services sector regulated by BCFSA, such as B.C. Credit Unions, Insurance and Trust Companies. Although these are minimum requirements, it is expected that PPAs implement controls and safeguards that are appropriate to the nature, potential impact and likelihood of risk.
2. Continues to be principle-based, so expectations are that procedures/practices are set to achieve the objectives of each principle. The new guideline is not prescriptive with regard to the changes required to a plan’s governance policy; however, it is recommended that plans adhere to the CAPSA Guideline for Risk Management for Plan Administrators, which includes developing a resiliency plan that determines how a plan will recover from an incident and restore normal operations.
3. Promotes greater harmonization with other pension regulators.
4. Defines a “material incident” as:
   If the incident:
   – Disrupts the operations of the pension plan to an extent that the plan can no longer be effectively administered;
   – Is likely to negatively affect other entities or individuals regulated by BCFSA, or is an incident that is likely to reoccur with other entities or individuals regulated by BCFSA;
   – Compromises confidential plan member data; or
   – Impacts the ability of the administrator to pay benefits.

5. Requires that PPAs contact BCFSA within 24 hours of identifying a material incident and provide a written incident report within 72 hours of the material incident.
6. Clarifies that if a material incident occurs, plan beneficiaries must be notified, including how the PPA is proposing to mitigate any negative impacts.
7. Does not replace the BCFSA Outsourcing Guideline that PPAs are expected to follow if they outsource their administration to a third-party. PPAs should review their outsourcing contracts to ensure compliance with applicable legislation and guidelines and that there are procedures and requirements in place to report any material events that may affect the delivery of services.