‘Material IT risk’ reporting requirement for Ontario pension plans goes live April 1, 2024
The Financial Services Regulatory Authority of Ontario (FSRA) has published its Information Technology (IT) Risk Management Guidance (the Guidance), with an effective date of April 1, 2024. The Guidance will apply to administrators of all pension plans registered in Ontario (as well as other sectors regulated by FSRA).
Pension plan administrators and sponsors should consider whether their organization’s IT risk management practices and preparedness align with the Guidance, particularly those elements of the Guidance that create compliance obligations.
Practices for managing IT risks
The Guidance sets out seven practices to effectively manage IT risks, which apply to all FSRA-regulated sectors and describes “desired outcomes” associated with each practice. The practices are classified as “information”-level guidance for purposes of FSRA’s Guidance Framework. While these practices do not create any compliance obligations for regulated entities, FSRA will consider adherence to these practices and their desired outcomes when supervising regulated entities.
The practices are
- have proper governance and oversight of IT risks
- rely on industry accepted practices to effectively manage IT risks
- use industry accepted strategies to effectively manage and secure confidential data
- effectively manage IT risks associated with outsourced activities
- be prepared to effectively detect, manage, resolve/recover and report on IT incidents in a timely manner
- be prepared to ensure the continuity of IT assets, and ability to deliver critical services, during and following an incident
- notify regulator(s) in the event of a “material IT risk incident”
Notifying FSRA of material IT risk incidents
The Guidance expands upon Practice 7 (notify regulator(s) in the event of a “material IT risk incident”) in the “approach”-level guidelines contained therein. Among other things, it suggests that notifying regulatory authorities (including FSRA, via a form to be prescribed) of a “material IT risk incident” should be done as soon as is reasonable after determining that an IT risk incident is material, meaning typically within 72 hours. Such guidance suggests that entities that sponsor or administer a pension plan and are not otherwise subject to incident/breach reporting obligations under privacy laws would nevertheless be required to notify FSRA of a material IT risk incident.
What constitutes a material IT risk incident in respect of a pension plan is to be determined by the pension plan administrator and will generally depend on the impact to the business, operations and stakeholders. FSRA outlines certain indicators that a material IT risk incident has occurred. These include, but are not limited to, the following:
- incidents that disrupt the operation of the pension plan to an extent that the plan can no longer be effectively administered
- incidents likely to negatively affect other entities or individuals regulated by FSRA
- incidents that compromise confidential plan member data
- incidents that impact the ability of the administrator to pay benefits
After FSRA becomes aware of a material IT risk incident, FSRA will determine whether to activate its Protocol for IT Risk Incidents (the Protocol), which typically involves three phases:
- receiving a notification from the regulated entity (the pension plan administrator) detailing the incident and the entity’s response to the incident
- establishing contact with the regulated entity and receiving regular updates
- receiving the regulated entity’s plan to prevent a similar incident in the future
In some instances, FSRA will consider notification of the incident sufficient and determine that activation of the Protocol is not warranted. FSRA’s level and frequency of engagement before and after the Protocol is activated will depend on the nature of the incident and the regulated entity.
Interpretation of fiduciary obligations
In addition to the recommended practices, the Guidance contains an “interpretation”-level statement: “In order to adequately protect plan members’ rights and benefits, and to effectively administer the pension plan, administrators must consider and mitigate IT risks.” It also cites the requirements of section 30.1 of the Pension Benefits Act (Ontario) with respect to sending documents in electronic form. Pursuant to FSRA’s Guidance Framework, “interpretation”-level guidance sets out FSRA’s view of requirements under its legislative mandate, such that non-compliance can lead to enforcement or supervisory action.
In an “approach”-level statement, FSRA indicates that it may take into account whether plan administrators can demonstrate (i) that they have familiarized themselves with industry accepted practices, including CAPSA guidelines and (ii) that they have considered the practices and desired outcomes as set out in this Guidance, in its supervision of pension plans’ risk management processes.
It should also be noted that this Guidance purports to be consistent with — and, in the event of inconsistency, takes precedence over — the forthcoming Canadian Association of Pension Supervisory Authorities (CAPSA) Guideline on Cyber Risk for Pension Plans. The Guidance states that adherence to the Guidance will satisfy the CAPSA guideline.
Implications for pension plan administrators
We anticipate that the Guidance may prompt sponsors and administrators of Ontario-registered pension plans to assess the degree to which their organizations’ IT risk management practices and processes, including incident identification and reporting preparedness, align with the Guideline. In doing so, plan administrators should be cognizant of the following implications.
While FSRA does not specify a reporting threshold, it does provide a list of non-exhaustive indicators that a material incident has occurred, as described in our summary above. Plan sponsors that are subject to private-sector privacy legislation should note that these indicators may not necessarily align with those that trigger reporting obligations under the federal Personal Information Protection and Electronic Documents Act (PIPEDA), which only requires organizations to report a breach of security safeguards that pose a “real risk of significant harm”.
Activation of FSRA’s Protocol
The Guidance provides that FSRA will determine whether to activate its Protocol after becoming aware of an IT risk incident, either through direct notification by the plan administrator or through other channels such as complaints or media reports. This suggests (i) that the risk incident need not be material for FSRA to determine that it should be involved in investigating an incident and (ii) that FSRA may decide to activate its Protocol even though the plan administrator has determined that the materiality threshold has not been met and notification is not necessary.
Information access requests
FSRA is subject to the Freedom of Information and Protection of Privacy Act and, as such, information provided to FSRA may become the subject of an access request. While this Guidance does provide that FSRA will maintain confidentiality of incidents reported to the extent allowed by the law, it is possible that interested persons could obtain access.
Further, it does not expressly specify any exceptions, nor does it provide a process for notifying plan administrators prior to disclosure.
The effective date of April 1, 2024, gives plan administrators time to consider the abovementioned implications and assess — and, if necessary, make plans to adjust — their organization’s IT infrastructure. At a minimum, plan administrators should ensure that their governance framework sets out clear responsibilities and oversight for the management of IT risks. Plan administrators should consult with their legal advisors.
 Pursuant to FSRA’s Guidance Framework, “information”-level guidance is indicative of FSRA’s views on certain topics without creating new compliance obligations for regulated person.
 Pursuant to FSRA’s Guidance Framework, “Approach”-level guidance describes FSRA’s internal principles, processes and practices for supervisory action and application of CEO discretion.