Technology and cyber security incident reporting

Information
Publication type
Advisory
Topics
Governance
Plans
Defined benefit plans
Defined contribution plans
Pooled registered pension plan
Year
2023
Table of contents

    Purpose

    This advisory describes the Office of the Superintendent of Financial Institution’s (OSFI) expectations for reporting technology and cyber security incidents that affect federally regulated private pension plans (FRPPs).Footnote 1 It also supports a coordinated approach to OSFI's awareness of, and response to, these incidents.

    FRPP administrators have a responsibility to address technology and cyber security incidents in a timely and effective manner. When they occur, OSFI expects administrators to notify OSFI by filing the Technology and Cyber Incident Report for FRPPs (Incident Report). The requirement to notify OSFI should be reflected in a FRPP's risk management framework or resiliency plan.

    Incident reporting can help identify areas where administrators or the industry at large can take steps to proactively prevent such incidents or improve their resiliency after an incident has occurred.

    Scope and definition

    OSFI considers a technology or cyber security incident to be an incident that has an impact, or the potential to have an impact, on the operations of a FRPP, including its confidentiality, integrity or the availability of its systems and information.

    Criteria for reporting

    When in doubt about whether to report an incident, administrators should consult their lead supervisor.

    A reportable incident may have any one or more of the following characteristics:

    • Impact has potential consequences to other FRPPs or the Canadian financial system
    • Plan members or beneficiaries are affected (such as issues with pension payments or contribution remittances, personal information is compromised)
    • Impact on employer operations, infrastructure, data, or systems that may result in the employer operations shutting down temporarily
    • Severe and extended disruptions to critical pension systems or operations
    • Pension fund investments operations are impaired
    • A disaster declaration has been made by a third-party vendor that affects the pension plan
    • A pension plan’s resiliency plan has been put into effect
    • A negative affect on the reputation of the plan administrator, employer or participating employers, and service providers is looming
    • Impact to a third party affecting the pension plan
    • An incident affecting the pension plan has been reported to the Board of Directors, Senior/Executive Management, or the Board of Trustees
    • An incident has been reported to:
      • the Office of the Privacy Commissioner
      • another federal government department (such as the Canadian Centre for Cyber Security)
      • other supervisory or regulatory organizations or agencies
      • any law enforcement agencies
      • internal or external counsel
      • plan members and beneficiaries
    • An incident for which a cyber insurance claim has been started that includes losses for the pension plan

    Notification requirements

    Administrators should complete and send an Incident Report to OSFI within 24 hours of discovering an incident, or sooner if possible. The report can be sent by email to pensions@osfi-bsif.gc.ca.

    Where specific details are unknown at the time that the administrator completes the Incident Report, the administrator should note that the information is not yet available. In such cases, the administrator should provide estimates and all other details available at that time, on a best efforts-basis, including their estimates of when additional information will become available.

    OSFI expects the administrator to provide regular updates as new information becomes available, and until all relevant information about the incident has been provided.

    Until the incident is resolved, OSFI expects the administrator to provide situation updates, including any short-term and long-term remediation plans and actions taken.

    Following incident containment, recovery and resolution, the administrator should report to OSFI on its post-incident review and lessons learned.

    Failure to report

    Failure to report incidents as outlined in this advisory may increase a plan’s rating and result in additional supervisory oversight.

    Examples of Reportable incidents

    The following table lists examples of types of incidents and scenarios that plan administrators should report to OSFI. The list is not exhaustive.

    Examples of Reportable incidents and scenarios
    Scenario name Scenario description Potential impact
    Cyber attack Botnet account takeover campaign is targeting online services, including pension self-service applications, and there is a high volume and velocity of attempts, or current controls are failing to block attack
    • Compromise of plan members and beneficiaries’ accounts or information
    Service availability and recovery Technology failure affecting company servers, and pension portal is down, and recovery options failed
    • Extended disruption in payroll interface processing
    Third-party breach A material third party is breached, pension client is notified that third party is investigating
    • Pension data
    • Pension fund
    Extortion threat Employer receives an extortion message threatening a cyber-attack on its entire IT infrastructure (for example, DDoS for Bitcoin), and the threat is credible
    • Disruption of critical online service(s) or leak of personal information