OSFI Issues Draft Advisory on Technology and Cyber Security Incident Reporting for Federally Regulated Private Pension Plans; Comments Due September 30
Published June 30, 2023
The Office of the Superintendent of Financial Institutions (OSFI) issued a draft version of an advisory describing its expectations for reporting technology and cyber security incidents that affect federally regulated private pension plans (FRPPs).
FRPP administrators have a responsibility to address technology and cyber security incidents in a timely and effective manner. When they occur, OSFI expects administrators to notify OSFI by filing the Technology and Cyber Incident Report for FRPPs (Incident Report). The requirement to notify OSFI should be reflected in a FRPP's risk management framework or resiliency plan.
The advisory includes details on:
- Scope and definition of a technology or cyber security incident;
- Criteria for reporting;
- Notification requirements;
- Failure to report; and
- Examples of reportable incidents.
Questions and comments concerning this Advisory and Incident Report should be sent to [email protected]. Comments are due September 30, 2023.
Additional information