BCFSA releases draft information security guideline
The British Columbia Financial Services Authority (BCFSA) has released for consultation two guidelines on information security and outsourcing. The BCFSA is holding two separate 60-day consultations on the guidelines at the same time, with an April 19, 2021, deadline for stakeholder submissions on the Information Security Guideline.
Draft Information Security Guideline
On February 18, 2021, the BCFSA released its draft Information Security Guideline (the IS Guideline) for all BC pension plan administrators, as well as credit unions, insurance, and trust companies. All of these regulated entities are referred to as provincially regulated financial institutions (PRFIs) for the purpose of the IS Guideline.
The draft IS Guideline establishes principles and best practices that PRFIs are expected to follow in order to mitigate information security risks posed by digital and online services. The BCFSA has identified information security risks as including unauthorized, illegal, or accidental use, disclosure or destruction of data or impairment of network systems, which can cause serious harm to consumers and significant reputation damage to regulated entities.
The draft IS Guideline states that PRFI Boards of Directors or their equivalent are ultimately responsible for overseeing the prudent management of information security risks. The Board should, among other things, identify the governing body accountable for overseeing information security, approve the information security strategy of the organization, possess current and relevant knowledge in information security or recognize when expertise or third party advice is needed, and assess the competencies, skills, and experience of senior management pertaining to information security. Senior management is responsible for the development, documentation, implementation, and monitoring of information security strategies, policies, and procedures.
The draft IS Guideline describes information security actions expected to be implemented across all PRFIs.
- Information Security Risk Management Framework: Senior management should establish and document an effective information security risk management framework, which should be reviewed at least once a year. The framework should focus on security measures to mitigate information security risks. It should clearly set out strategies for responding to and recovering from major information security incidents and define escalation processes.
- Identify: A PRFI should develop an organizational understanding of information security risk to systems, people, assets, data, and capabilities. This includes collecting threat information and conducting risk assessments.
- Protect: A PRFI should develop and implement preventative physical and logical security measures against identified information security risks. These measures include providing training and awareness on information security to all personnel and performing timely IT system and software updates.
- Detect: A PRFI should establish monitoring processes to rapidly detect information security incidents and periodically evaluate the effectiveness of identified controls (e.g., monitoring, testing, audits, and reporting).
- Respond: A PRFI should develop and implement appropriate actions in response to information security incidents. It should establish processes to ensure consistent and integrated monitoring, handling, and follow-up of incidents.
- Recover: A PRFI should develop and implement activities to maintain plans for resilience, restore capabilities or services and comply with applicable legislation. It should document and be able to execute a recovery plan for information security incidents.
- Communication with the Regulator: PRFIs must notify their BCFSA Relationship Manager of a major incident as soon as possible, and provide a written incident report within 72 hours of such notice. Until the incident is contained/resolved, the PRFI should provide their Relationship Manager with subsequent updates, including any short-term or long-term remediation actions and plans. Examples of major incidents include cyber attacks, service failure, third party breach, extortion threats and internal breach. The IS Guideline also provides a template for security incident reporting.
The draft IS Guideline applies to all PRFIs irrespective of size. However, the application of the IS Guideline will be determined on an institution-by-institution basis, and will ultimately depend on the nature, scope and complexity, and risk profile of the PRFI. The BCFSA directs regulated entities to refer to the Outsorcing Guideline where information management services are outsourced. The BCFSA expects PRFIs to ensure that all outsourcing services provided comply with all applicable legislation, regulations, and/or rules, as well as the IS Guideline in the treatment of the PRFI’s information.
Draft Outsourcing Guideline
On February 22, 2021, the BCFSA released a draft Outsourcing Guideline for all PRFIs. Pension plans are not included in the draft Outsourcing Guideline as pension outsourcing responsibilities are covered in the governance policy of a pension plan.
Although the draft IS Guideline is applicable across all of the BCFSA’s regulated sectors, the release of the draft IS Guideline indicates a growing concern with information security among Canadian pension regulators. Most pension plan administrators will rely heavily on third party pension administrators and consultants. As a leading pension administrator and consulting firm, Morneau Shepell will carefully review the draft IS Guideline and will be making a submission to the BCFSA.