Technology and cyber incident reporting

Document properties

• To: Administrators of registered pension plans, or administrators that have filed for registration under the Pension Benefits Standards Act, 1985 or the Pooled Registered Pension Plans Act, and their agents

The Office of the Superintendent of Financial Institutions (OSFI) has identified cyber risk as a key issue in its Annual Risk Outlook – Fiscal Year 2023-2024.

OSFI is issuing a draft version of an advisory titled Technology and Cyber Security Incident Reporting (Advisory) and its accompanying incident reporting form (Incident Report, PDF). The Advisory sets out OSFI’s expectations for when and how a technology or cyber incident that affects a federally regulated private pension plan (FRPP) should be reported to OSFI.

Questions and comments concerning this Advisory and Incident Report should be sent to pensions@osfi-bsif.gc.ca. A non-attributed summary of comments received along with OSFI’s responses will be posted on OSFI’s website when the final Advisory and Incident Report are released. Comments should be provided no later than September 30, 2023.

Any reporting of a technology or cyber incident affecting an FRPP should be submitted to OSFI (pensions@osfi-bsif.gc.ca) using the draft Incident Report until it is replaced by the final version.

Sincerely,

Henri Boudreau
Managing Director, Insurance and Pensions