iAtoday
The importance of protecting information and the rapid advance of technology are placing new demands on registered pension plans (RPP).
Certain Canadian regulatory authorities have published guidelines applicable to sponsors of defined contribution (DC) and defined benefit (DB) RPPs.
Under these guidelines, RPP sponsors registered with these authorities are required to report material information and IT risk incidents to their respective regulators.
We will be here for you and your clients
We will implement measures to comply with these guidelines, and will notify RPP administrators of any incidents requiring reporting to regulatory authorities.
Summary of the new guidelines:
- Information Technology Risk Management Guidance, from the FSRA of Ontario
On April 1, the Information Technology Risk Management Guidance came into effect for RPPs regulated by the Financial Services Regulatory Authority of Ontario (FSRA).
In it, the FSRA outlines effective information technology risk management practices. It also details a process for notifying FSRA in the event of a significant incident arising from information technology risks. This declaration must be made within a maximum of 72 hours once the incident has been determined to be significant.
- Technology and cyber security incident reporting, from the OSFI
On June 30, 2023, the Office of the Superintendent of Financial Institutions (OSFI) released a draft version of its notice and report on Reporting Technology and Cybersecurity Incidents.
As of this date, sponsors of federally regulated RPPs must report to the OSFI any technology or cybersecurity incident affecting them. A technology or cybersecurity incident is one that has or could have an impact on an RPP’s operations with respect to the confidentiality, integrity or availability of its systems or information, OSFI explains.
The report must be sent within 24 hours of the discovery of an incident.
- BCFSA’s Information Security Guideline
The British Columbia Financial Services Authority’s (BCFSA) Information Security Guideline, effective June 30, 2022, addresses information security risk management. It applies to financial institutions and RPP sponsors registered in BC.
They must report any significant information security incident (cyber attack, technological failure, internal or external breach, etc.) to the regulator as soon as possible. The report can be made by email or telephone once the incident has been determined to be significant.
The RPP administrator must then submit an incident report to the BCFSA within 72 hours.
If you have any questions, please contact your iA Financial Group Account Executive.
For more information on reporting incidents:
- Information technology (“IT”) risk management | Financial Services Regulatory Authority of Ontario (fsrao.ca)
- Technology and cyber security incident reporting | Office of the Superintendent of Financial Institutions (osfi-bsif.gc.ca)
- BCFSA Information Security Guideline
For over 70 years, employers from coast-to-coast have been relying on iA's group insurance and retirement experts to effectively manage their plans.
Also in this issue
- Drugs |Top 10 2023
- Tax refund | Spotlight on the 2024 campaign
- 2023 Sustainability Report | A year marked by a number of meaningful milestones
- Podcasts | How artificial intelligence (AI) and geopolitics influence finances
- BlackRock Asset Management | Changes to the Balanced Index Funds
- Inclusive coverages | Family support
- Amendments to the Québec Pension Plan (QPP) │Elimination of the penalty on retirement pension for disabled persons aged 65 and older
- Reminder | 2023 list of medical and dental care expenses