Office of the Superintendent of Financial Institutions
Type of publication: Advisory
Date: June 2023
This advisory describes the Office of the Superintendent of Financial Institution’s (OSFI) expectations for reporting technology and cyber security incidents that affect federally regulated private pension plans (FRPPs).Footnote 1 It also supports a coordinated approach to OSFI's awareness of, and response to, these incidents.
FRPP administrators have a responsibility to address technology and cyber security incidents in a timely and effective manner. When they occur, OSFI expects administrators to notify OSFI by filing the Technology and Cyber Incident Report for FRPPs (Incident Report). The requirement to notify OSFI should be reflected in a FRPP's risk management framework or resiliency plan.
Incident reporting can help identify areas where administrators or the industry at large can take steps to proactively prevent such incidents or improve their resiliency after an incident has occurred.
OSFI considers a technology or cyber security incident to be an incident that has an impact, or the potential to have an impact, on the operations of a FRPP, including its confidentiality, integrity or the availability of its systems and information.
When in doubt about whether to report an incident, administrators should consult their lead supervisor.
A reportable incident may have any one or more of the following characteristics:
Administrators should complete and send an Incident Report to OSFI within 24 hours of discovering an incident, or sooner if possible. The report can be sent by email to email@example.com.
Where specific details are unknown at the time that the administrator completes the Incident Report, the administrator should note that the information is not yet available. In such cases, the administrator should provide estimates and all other details available at that time, on a best efforts-basis, including their estimates of when additional information will become available.
OSFI expects the administrator to provide regular updates as new information becomes available, and until all relevant information about the incident has been provided.
Until the incident is resolved, OSFI expects the administrator to provide situation updates, including any short-term and long-term remediation plans and actions taken.
Following incident containment, recovery and resolution, the administrator should report to OSFI on its post-incident review and lessons learned.
Failure to report incidents as outlined in this advisory may increase a plan’s rating and result in additional supervisory oversight.
The following table lists examples of types of incidents and scenarios that plan administrators should report to OSFI. The list is not exhaustive.
This advisory applies to FRPPs. For information pertaining to the reporting requirements for federally regulated financial institutions (FRFIs), please see the Technology and Cyber Incident Reporting advisory published in August 2021 for FRFIs.
Return to footnote 1