Pension Funds Mount Defenses Against Growing Cyberthreats

Security is ‘top of mind,’ as attacks have grown and insurance is more costly.

Art by Irene Servillo

Pension funds must foster a collaborative environment—both across internal departments and with industry peers—to defend against growing cyberthreats, sources share.

“Cybersecurity, identity theft, hacking into our systems—they are all top of mind for public pension plans,” says Hank Kim, executive director and counsel for the National Conference on Public Employee Retirement Systems, a trade association for public pension funds. “There is a constant dialogue, including at industry conferences, held on these topics [so we are] on top of the latest threats and countermeasures to these threats.”

In addition to his role at NCPERS, Kim is vice chair of the $2.2 billion Fairfax County Uniform Retirement System. He notes that pension funds are coordinating efforts across their legal, communications, information technology, benefit services and broader administration teams to determine how to best defend against cyberattacks.

In fact, NCPERS acts as a resource for member plans, who use its platform to connect with peers, share concerns and sometimes crowdsource solutions to cyberthreats, Kim says. He says data theft of personally identifiable information is a top concern.

Want the latest institutional investment industry
news and insights? Sign up for CIO newsletters.

“To the extent that plans are custodians of PII, they want to make sure that is secure,” Kim notes. “Bad actors can pose as some of their members to illegally change benefits to go from the rightful beneficiaries to themselves.”

Types of PII that pension funds would typically maintain include Social Security numbers, addresses, names and financial account information needed to pay or administer member benefits.

 In phishing attacks, scammers often use emails—or sometimes text messages or phone calls—to trick individuals into sharing sensitive information, like passwords or financial data.

Laura Arnott, director with cybersecurity expertise at Vigilant Compliance LLC, a firm serving the investment management industry, says phishing scams remain a top cyberthreat across industries—with pension no exception, given they collect participant data.

Pension funds “have lots of personal data, and that’s what the attackers are after,” Arnott exaplins. “PII, that kind of data … that’s what they’re able to monetize.”

Types of Threats

Last year, the country’s two largest pension funds, the California Public Employees’ Retirement System and the California State Teachers’ Retirement System, experienced data breaches after hackers targeted a cybersecurity vendor for both plans, according to a report by The Sacramento Bee.

The breach, carried out by a ransomware group, ultimately exposed the personal data of a combined 1.2 million retirees and beneficiaries, the report stated.

Arnott notes that while ransomware—malware that encrypts critical files or renders IT systems unusable—is certainly a concern for pension funds, phishing scams are still the more prevalent attack method, especially as scammers get better at making emails look like legitimate messages from trusted sources.

In phishing scams, “attackers are typically trying to get the credentials of an individual, then get into a system and move around in that system,” Arnott says. “Phishing is still extremely prevalent, and it seems to be getting more and more realistic.”


Cyberinsurance

 In an attempt to reduce the financial burden associated with cyberattacks, many businesses and organizations have, in the last decade or so, begun purchasing cyberinsurance, according to Kim. However, it is still debatable whether such insurance is accessible for the average pension fund.

“The consensus is: To the extent that there is a market for cyberinsurance, [pension] plans think it’s a good thing to have,” Kim says. But, he adds, “from the years just preceding COVID, with all the ransomware attacks that occurred, the cyberinsurance market has gone completely upside down. It’s very difficult to get cyberinsurance.”

In the early to mid-2010s, it was fairly easy to get insured, because “insurance companies knew there was a threat, but there weren’t many claims made,” Kim explains. “In or around 2015 and 2016, there were a lot of ransomware attacks,” which contributed to shifts in the insurance industry.

Today, cyberinsurance providers charge “astronomical premiums” and require much more proof that the insured will have an appropriate defense in place to prevent breaches, Kim says.

One of NCPERS’ affinity programs offers cyberinsurance to member pension plans, but the process of getting coverage has changed drastically over the years.

“When we first started offering cyberinsurance around 2010, a plan could get insured by answering some basic questions,” Kim says. “That is no longer the case, and even if the plan shores up every weak point, the insurance premium is very, very expensive.”

Tags: , , , ,

«