Canada: Understanding Cyber Risks For Pension Plan Administrators, ACPM
As pension plans are increasingly relying on technology in their administration, there is a corresponding focus on keeping plan assets safe and protecting the rights and interests of plan beneficiaries. Pension plans involve significant amounts of confidential, personal data and assets, making them targets for criminal activity.
Pension plan administrators and sponsors are expected to be prepared to recognize, prevent or minimize damage in the event of harm from cyber risks. What this means for how pension administrators discharge their fiduciary duty is evolving. Summarized below are some practical proactive measures (to prevent risks) and reactive measures (to respond to risks) that plan administrators and sponsors can take to achieve a greater level of protection against cyber risks for pension plan assets and pension plan beneficiaries.
Pension regulators have taken notice of mounting cyber risks and are acting to enhance protective measures. They are including pension plans in their cyber risk policies. Recently, in Ontario, British Columbia and federally, pension regulators released policies for addressing cyber risks for pension plans. In addition, the Canadian Association of Pension Supervisory Authorities (CAPSA) released a consultation document on cyber risk for pension plans. These regulatory measures are bolstered by privacy legislation, enacted in Alberta, British Columbia and federally, that impacts how plan member personal information is collected and handled by pension and benefit plan administrators.
What is Cyber Risk?
Cyber risk is the risk of financial loss, operational disruption or reputational damage resulting from the unauthorized access, malicious and non-malicious use, failure, disclosure, disruption, modification, or destruction of information technology systems, infrastructure or data contained therein. Examples of cyber risks include hacking, malicious software, phishing emails, social engineering, and inadvertent information disclosure.
Cyber risk includes both internal risks (e.g., disgruntled employees or a lack of controls on access) and external risks (e.g., hacktivists, state-sponsored threat activists or cybercriminals). Pension plan administrators and their third-party service providers control financial assets as well as personal and confidential data, which can make them an attractive target for cyber criminals.
What constitutes a material cyber incident will be determined based on the impact to the pension plan, its assets and its members. Factors that are relevant to determining whether a cyber incident creates a real risk of significant harm include the sensitivity of the personal information involved, the population affected, and the probability the personal information will be misused. A material incident is a determination made by the entity that has been breached and depends on the impact the incident will have on the plan members, users, consumers, or the general public. A cyber incident may result in financial loss, damage to information technology systems, operational disruption, data loss, identity theft, reputational damage and other negative outcomes.
Pension Plan Obligations
In pension plans, the pension plan administrators are responsible for overseeing and managing the pension plan, including enrolment, communications and benefit payments. In meeting these responsibilities, administrators are subject to fiduciary duties under common law and applicable legislation. As fiduciaries, administrators must act with the care, diligence and skill that a person of ordinary prudence would exercise in dealing with the property of another person. They must also use all relevant knowledge and skill they possess or, by reason of their profession, business or calling, ought to possess. To adequately protect plan members’ rights and benefits, and to effectively administer the pension plan and invest its assets, administrators must consider and mitigate cyber risks.
In addition to fiduciary duties, applicable pension and privacy legislation and related regulatory policies impose a framework around how plan member personal information is collected, used, disclosed, maintained, accessed and retained by pension and benefit plan administrators. The principles of cyber and information technology risk management, including the safe and secure treatment of information, apply to pension plans. Plan administrators must comply with the framework in its treatment, protection and distribution of personal information. A failure to protect against cyber incidents or comply with the regulatory framework, may result in a breach of a pension plan administrator’s fiduciary duty.
Pension plan administrators are also responsible for implementing processes to ensure that plan risks are understood and addressed. Cyber risks are prevalent in several aspects of plan administration and should be considered in creating and managing the administrative framework. This requires both proactive and reactive measures, as discussed below.
In implementing the appropriate proactive and reactive measures, a plan administrator also minimizes its litigation risk. This is key in a climate that has seen class action lawsuits or individual claims by damaged parties in cyber incident cases.
Proactive Measures
Protective Controls
In maintaining strong security against cyber attacks, plan administrators should ensure there is a strong set of controls in place. Controls may include up-to-date hardware and software, the use of information technology expertise, developing best practices and ongoing monitoring of systems and networks for unusual activity or unauthorized access.
Pension and Cyber Risk Governance
As a proactive measure, pension plan administrators should incorporate the management and monitoring of cyber risk into the same governance and risk frameworks used in the oversight of the pension plan. This includes incorporation of measures into the pension governance policies and terms of reference. Cybersecurity also overlaps with several governance approaches that should already be in place to monitor privacy and confidentiality of information more generally in the company’s approach to information technology.
The pension governance policy should include processes for identifying cyber security risks and training pension committee members in cybersecurity. Administrators will need to demonstrate that they have familiarized themselves with industry-accepted practices for plan governance and cyber risk specifically. This includes establishing an ongoing process to identify the educational requirements and skills necessary for the administrator to perform his or her duties in relation to information security.
In addition to the governance policy, a separate standalone cybersecurity policy of the plan sponsor relating to assessing and minimizing the risk of a cyber incident may be adopted or included by reference in the pension governance policies. Any standalone risk management policy should include cyber threats in the list of risks and identify the appropriate individuals or specific policy to deal with cyber risks.
Well Defined Roles and Responsibilities
The pension governance policies and risk framework should identify the key stakeholders, including the plan sponsor and third party service providers. Roles and responsibilities relating to cyber risk should be clearly defined, assigned, and understood, including with respect to any activities delegated to third-party service providers (and all applicable subcontractors). The governance documentation should identify all participants who have authority to make decisions in respect of those structures, processes and controls relating to cyber risk and describe the roles, responsibilities, and accountabilities of those participants.
Cybersecurity Provisions in Third Party Service Contracts
Plan administrators should be aware and understand the cyber risks of using third-party service providers, and ensure that such providers have implemented suitable controls. Any service provider contracts should have suitable cybersecurity provisions included that align with the plan administrator’s stated objectives for mitigating risk. The level of negotiation of such contracts will depend on the leverage that pension administrators have, as service providers now have their own cyber security policies to implement as well.
Cyber Insurance
It is increasingly common for plan sponsors to purchase cyber insurance as a proactive measure to minimize loss in the event of a cyber incident. Such insurance policies have changed to address the changing nature of cyber risk. Coverage may include protection over areas such as data breach notification, data replacement or restoration, cyber extortion arising out of criminal threats, loss of profit as a result of an incident, protection of liability out of a failure of network security or protection of private information, and regulatory action. Often, an insurer will not provide insurance unless the insured has minimum security protocols in place. In purchasing cyber insurance, it is important to have open and clear communication with the insurer regarding the scope of the policy and any exclusions. A clear understanding of the risk to be insured is important in the acquisition of a cyber insurance policy.
Reactive Measures
While a cyber insurance policy will assist in minimizing the impact of a cyber security incident, pension plan administrators should have a strategy in place for responding to and reporting cyber incidents. The cybersecurity policies and training will not only assist in the preventative measures, but will also benefit in the effective and quick reaction to a cyber incident. The reaction to a cyber incident depends on several factors, including the proportionality of the volume, severity, sensitivity and type of information.
A pension plan’s approach to cyber security risk framework and response to incidents will also depend on the size of the pension plan. While large plans may have specific cyber event resilience plans and incident responses, smaller plans may rely heavily on external service providers. A smaller plan may exercise more of a monitoring function as opposed to developing detailed policies or practices of its own that are specific to the plan.
Incident Response / Resiliency Plan
A plan administrator should develop an incident response plan or resiliency plan to identify potential scenarios, outline the strategy for dealing with a cyber incident and how get back to business swiftly and safely. A plan administrator should be prepared to address business continuity, disaster recovery and incident response in the context of information technology. Resiliency plans will cover a range of scenarios and the likelihood of different types of incidents so that if an incident does occur, primary and alternate contacts understand their roles and follow protocols.
Incident Reporting
A pension plan administrator should be clear on how, when and to whom cyber incidents should be reported. Reporting may be required to the plan sponsor, plan administrator, plan beneficiaries, third parties, supervisory authorities and law enforcement. As well, if an incident occurs at the third party level, the process of how and when the plan administrator would be informed should be addressed, along with the third party incident’s impact on plan beneficiaries and plan assets.
Notification to Plan Beneficiaries and Regulators
Plan beneficiaries should be informed about any cyber incident that has an impact on their benefits, financial or personal interests as well as the steps being taken to mitigate the incident’s impact. The nature of a report to a supervisory authority or regulator depends on the applicable jurisdiction, but if there is a real risk of significant harm or if the incident is material, a regulator should be notified as soon as possible.
Restoring Capabilities or Services
The resiliency plan will outline appropriate activities to restore capabilities or services that may have been impacted. Lessons learned from past or test incidents will assist to identify priorities and backup policies that facilitate prompt restoration of service. A pension plan administrator’s reaction to a cyber incident will determine the exposure to detrimental effects on the plan assets or beneficiaries.
Conclusion
In this day and age, it’s not a matter of “if” there will be a cyber incident, but “when”. A pension plan administrator has a duty to protect the pension plan, its assets and its beneficiaries from cyber risk. The approach to cyber risk should be both proactive, in ensuring that there are appropriate practices and controls for minimizing the occurrence and impact of cyber incidents, and reactive, in allowing the affected parties to quickly and effectively restore harmed parties and services when an incident occurs. Due to the evolving and dynamic nature of technology and cyber criminals, the administrator’s approach must be regularly reviewed and updated.
Read more @mondaq