The Office of the Superintendent of Financial Institutions’ proposed cybersecurity incident reporting standard could unintentionally lead to duplication and increased risk if it doesn’t reflect differences in technology and risks faced by federally regulated financial institutions and federally regulated pension plans, according to the Association of Canadian Pension Management.
While financial institutions’ systems are critical to the functioning of the Canadian economy and are responsible for market infrastructure and liquidity across the country, an open letter from the ACPM said pension plans’ cybersecurity risks are much narrower since they’re focused on beneficiaries and the plans themselves with limited knock-on effects.
The association suggested the OSFI leverage existing reporting structures where possible, noting federally regulated pension plans are subject to the Personal Information Protection and Electronic Documents Act. While pension plans are subject to some risks — such as investment or operational risks — that may fall outside of the legislation, the ACPM said plans generally work with and rely upon the services of financial institutions and the majority of these activities — such as pension benefit payments, financial market settlements and asset custody services — are already subject to the OSFI’s reporting requirements.
In addition, the draft standard’s proposed real-time reporting framework could divert resources away from incident management, said the ACPM, and create additional risk through the sharing of sensitive information, particularly for smaller plans.
It also noted the standard doesn’t address the provision of sensitive information outside of the OSFI’s regulatory authority, adding the lack of confidentiality could result in an inappropriate release of information about the cause, nature and status of cybersecurity incidents.