Pension plan sponsors must effectively employ care, diligence and skill when facing cybersecurity threats, said Sandeep Kakan, board trustee and secretary at the Canada-Wide Industrial Pension Plan, during a session at the Canadian Investment Review’s 2023 Defined Benefit Investment Forum in December.
Cybersecurity concerns are rising in the aftermath of the MOVEit hack, which compromised the information of more than 2,000 organizations, including plan sponsors. In Ontario, the Financial Services Regulatory Authority of Ontario’s Pensions Benefits Act requires plan sponsors to ensure a certain standard of digital information protections.
“The takeaway from the act is that in order to adequately protect plan members’ rights and benefits — administrators also must make sure and mitigate [information technology] risks.”
Kakan said Canadian regulators have increasingly taken the threats of cybersecurity more seriously, noting the FSRA has placed an emphasis on IT risks to promote the protection of pension benefits and the rights of plan members. “Through the information section, FSRA also lays out seven practices for effective IT risk management based on national and international standards that pension plans would be well advised to follow.”
The CWIPP is currently conducting a risk assessment of its service providers and employees and its workers are required to certify acknowledgement of its data integrity policy. It also recently pursued an insurance policy for cybersecurity coverage, which covers cyberextortion and ransomware, said Kakan. The policy protects “data holstered on a third-party network like the cloud.” The policy also covers data restoration and remediation, loss of business revenue, regulatory proceedings coverage and liability coverage for invasion of privacy rights and virus transmission.
Kakan outlined the CWIPP’s protocol for dealing with a cybersecurity risk scenario. The first step is to cut unauthorized access by a system shutdown and recovery process. Depending on the opinion of the legal counsel available, the plan sponsor would then inform privacy commissioners and complete a breach report form under the Personal Information Protection and Electronic Documents Act. In this scenario, the board chair would then inform the insurer of the threat. Records of the incident would be maintained for 24 months and then made available if a request is filed.
“The results of the breach investigation and related plans should be put on the agenda for the board trustees at the next meeting.”
Read more coverage of the 2023 Defined Benefit Investment Forum.