Data management and transference is a key area of risk for pension plan sponsors as the vulnerability of engaging with third parties creates opportunities for cybercriminals, says Jillian Kennedy, a partner at Mercer.

According to an online brief published last year by Ernst & Young, third-party service providers hired by public pension plan sponsors tend to be desirable targets of cybercriminals. Vulnerabilities can be found in plan sponsors’ websites and member portals, said the report, noting investment organizations are also at risk due to the handling of investment operations conducted by its staff.

Read: Cyber attack compromises U.K. pension plan members’ personal information

Indeed, the coronavirus pandemic shone a light on the need for online data maintenance in Canada, as companies sought to collect more thorough information, Kennedy adds. As plan sponsors gather more data about members’ behaviour regarding savings, plan participation or investments, she believes they’re increasingly recognizing the responsibility that comes with handling all of this information and the potential harm in mishandling modern data pools.

“Today a Canadian insurance company would be able to collect salary data, birth date data, data from outside of the retirement plan [and] data on the [member’s] spouse — basically, a comprehensive profile of a person — and use that data to nudge that person in one direction or another.”

Plan sponsors are enhancing policies around cybersecurity risk to protect plan members, but there’s still a long road ahead. Kennedy says more instructions are needed about distinction in responsibility and she anticipates more provinces will step up with “improved and enhanced privacy legislation.”

Read: OSFI’s draft pension cybersecurity standard may lead to duplication, increased risk: ACPM

These policies will likely be continuous, meaning there will be iterations of initial guidelines as threats in the cybersecurity space continues to evolve quickly. “There’s already a baseline [for] trust and confidence in Canada. [Going forward, guidelines] will [address risks related to] newer processes and newer ways that we’re using information and data that [we’ll] be required to protect. That’s the spirit of the rules that we’re going to see coming to Canada.”

She says plan sponsors are also implementing data risk assessments more frequently than before to review current standards with their partners. “They’re doing it regularly, even if the third party doesn’t change.”

They’re also drafting data risk policies that specify the roles and responsibilities of every party during the transition of data between partners, says Kennedy, noting these contracts force all stakeholders to come to the table and engage in the protection of plan members and make it easy for plan sponsors to identify gaps in security when things go wrong.

Read: CAPSA’s risk management guideline adaptable to changes in cybersecurity, ESG: webinar