BCFSA recently released its final Information Security Guideline for Pension Plan Administrators. The new Guideline will come into effect on July 1, 2025.
This new Guideline is specifically for pension plan administrators in British Columbia and will replace the 2021 Information Security Guideline for Provincially Regulated Financial Institutions that broadly applies to all provincially regulated financial institutions (e.g. credit unions, insurance companies). The new Guideline is intended to address feedback from the BC pension industry that the 2021 Guideline did not satisfactorily take into account the unique circumstances, mandate and resources of pension plans, as compared to the other sectors regulated by BCFSA.
Like the 2021 Guideline, the new Guideline sets out BCFSA’s expectations in relation to information security - but with a focus on pension plans - including:
- Maintaining a risk management program;
- Identifying the information security risks in respect of systems, people, assets, data and capabilities;
- Protecting data and systems in light of the sensitivity and value of the data and information;
- Establishing monitoring processes to detect information security incidents;
- Developing response and recovery processes; and
- Communicating with the BCFSA about “material” information security incidents.
However, pension plan administrators should note that the new Guideline also introduces more prescriptive expectations than the 2021 Guideline, including:
- Administrators are expected to demonstrate that they have familiarized themselves with CAPSA guidelines, including the CAPSA Guideline on Pension Plan Governance.
- Administrators are expected to inform plan beneficiaries and members about “material” incidents that have an impact on benefits, financial or personal interests. The new Guideline also provides greater clarity about what BCFSA will view as a “material” incident.
- The new Guideline is more prescriptive about an administrator’s reporting requirements in the event of a material information security incident, including specific timelines for reporting. It also specifies that administrators are expected to inform BCFSA of material incidents originating with any third-party service providers (and not just those originating with the administrator).
As noted in our prior blog post, BCFSA released a draft of the new Guideline in July 2024 for consultation. The final version has minimal substantive changes from the draft version.
We encourage pension plan administrators to review the new Guideline and take any steps required to ensure compliance with the Guideline by July 1, 2025. Please reach out to any member of our Pension and Employee Benefits Group for more information.
- Partner
Meghan is a partner in the firm’s Pension and Employee Benefits Group. She acts for boards of trustees and other sponsors of pension and benefit plans in the private and public sectors in British Columbia, Saskatchewan and Alberta.
- Associate
Jessica is an associate in the Pension and Employee Benefits Group of Lawson Lundell. She works with the group to advise plan sponsors, boards of trustees and plan administrators in Western and Northern Canada on pensions and ...
About Us
Lawson Lundell's Pension and Employee Benefits Law Blog provides updates on the most recent legal developments impacting pension and employee benefit plans. We cover a range of topics, including recent case law and changes to relevant provincial and federal legislation.
Legal Disclaimer: The information made available on this webpage is for information purposes only. It does not constitute legal advice, and should not be relied on as such. Please contact our firm if you need legal advice or have questions about the content of this webpage.