The U.K.’s The Pension Regulator, the regulatory group that protects workplace pensions, earlier this year put more than 300 pension plans on notice that their plans may have been compromised by a data breach at London-based Capita, a third-party administrator for the plans.
While it appears no participant data was impacted, an investigation is ongoing. Capita has data on hundreds of thousands of U.K. pension plan participants, and the potential impact of a breach is significant.
The attack—and another in the U.S. against retirement account portability platform The Retirement Clearinghouse that took place in March—highlights the need for institutional investors to pay special attention to cybersecurity, not just internally, but also at vendors and in their investments.
Cyberattacks are on the rise, and allocators, investors and retirement plans all make for high-value targets. The way adversaries target organizations is also becoming more sophisticated. In some cases, organizations may not even be aware their systems are compromised if an attacker has tricked someone into giving information away voluntarily.
Financial regulators are trying to catch up to the growing threat: In the U.S., the Securities and Exchange Commission and the Department of Labor have recently issued new cybersecurity guidelines and proposals for allocators, asset managers and broker/dealers.
When it comes to cybersecurity, institutional investors need to be thinking on multiple levels. Internally, the organization itself must be protected, and its employees trained to minimize vulnerabilities. At the vendor level, allocators have a tendency to herd into the same vendors, and that tendency could work against them, as with Capita, if they all face the same attack at the same time. Finally, allocators need to consider risk in terms of due diligence on their investments.
“The issue, to date, has largely been misanalyzed as a technical/operational issue,” said Larry Clinton, president and CEO of the Washington-based Internet Security Alliance, speaking at The Forum by CIO in May. Cybersecurity “is an enterprise-wide, risk management issue.”
More than strong passwords
In day-to-day operations, cybersecurity practices are often maligned. Everyone knows and hates the process of having a “strong” 14-character password that is impossible to remember, then getting a text with a code, then telling a robot you aren’t a robot before finally being allowed to login. Biometrics might be easier, but does anyone really want to give biometric data over to an employer?
So everyone ends up back at password, code, puzzle, login. Even with all of that, data from PwC says only 14% of companies made it through the past three years without a data breach. Perry Carpenter, the strategy officer at cybersecurity training firm KnowBe4, says much of the problem lies in the approach to cybersecurity.
“All we have to do is look around and see that this is not a solved problem by any means,” he says. “A lot of our procedures work against human nature, and it makes people want to opt out. Many times, organizations aren’t invested in regularly updating and patching systems, which makes them vulnerable. If you focus on patching and work on the human level, you could thwart 90% of attacks.”
According to Carpenter, working “on the human level” involves more than basic cybersecurity training that reminds people to watch out for phishing emails; it also includes thinking through the variety of ways people access systems and making it as easy as possible to secure that environment.
“Heaping steps on people is going to make them look for ways to get around the steps,” he explains. “Once they do, they’ll be happy, but they have also just found a vulnerability in your system. It’s likely adversaries have or will find it too.”
Carpenter adds that technologists tend to think new technology will solve everything. Cybersecurity staff might focus on getting the newest security technology in place, but doing so means that old systems are quietly falling out of date, creating new entry points for digital adversaries. “Patching is an important practice, because all it takes is one point of entry, and a system can be compromised,” Carpenter says. “You might hope that the new system will catch it, but they often don’t until it’s too late.”
Clinton, whose organization, along with the National Association of Corporate Directors, has published cyber-risk guidance for global corporate boards, advised: “Boards should view cyber-risks from an enterprise-wide standpoint and understand the potential legal impacts. They should discuss cybersecurity risks and preparedness with management and consider cyber threats in the context of the organization’s overall tolerance for risk.”
Process and patching are just as important for vendors. Allocators should be asking firms they work with about their approach to cybersecurity. Jack Tamposi, associate director for the U.S. Institutional practice at consultancy Cerulli Associates, says cybersecurity is one of the most frequently outsourced services, and cybersecurity vendors also provide advice on compliance and regulatory issues. This means allocators need to ask if their administrators and other third-party vendors—like Capita—are contracting out their cybersecurity and, if so, what that process looks like.
Kristopher ‘Kriffy’ Perez, a co-founder of Global PayTech Ventures and a senior advisor at the Future Today Institute, recently experienced first-hand what it means to apply due diligence to vendors. Perez advises on cybersecurity from an investor perspective through his work at Future Today and also makes investments in financial services companies through his work at Global PayTech Ventures.
Perez recently overhauled the third-party process at Global PayTech after an adversary gained access to the system and impersonated a member of the investment team via email. The adversary got close to adding themself as a contact with Global PayTech’s bank and even created fake partner email addresses to make it look like everyone was on board.
This type of attack, called business email compromise, is often targeted at investors and financial firms because it is hard to detect and can result in successful wire transfers to the adversary before anyone recognizes the breach. Recovering those transfers, if they’ve been voluntarily authorized by someone appearing to work for the investor, is difficult. In Perez’s case, the attack was caught by third-party security systems before any money changed hands, but it did lead to an internal examination of vendor relationships.
“When someone tells you it was caught and it won’t happen again, you say, ‘OK, but this was a pretty elaborate attack,’” he says. “We felt it was necessary to look at what we could do to increase the complexity of our protection.”
Perez’s staff also took a deep-dive cybersecurity training program provided by the company’s bank to make sure its staff was on the same page. “There’s an opportunity when something happens to reinforce the process,” Perez says. “People care more; they aren’t complacent.”
A core part of any cybersecurity program is compliance. Without it, investors can end up with failed investments or fiduciary issues if adequate protections are not in place.
Gerry Stegmaier, a partner in the tech and data group at law firm Reed Smith, says from a fiduciary perspective, it is important to operationalize cybersecurity supervision.
“The distance from the server room to the board room is getting very short, and everyone from investors to regulators is starting to realize that cybersecurity isn’t a tick-the-box exercise—it’s a material governance issue,” he said.
Clinton’s remarks stressed similar points. He said it is crucial for boards of directors to understand “cybersecurity is not an IT-centric appendage issue, but rather needs to be woven into the full breath of business decisions on an enterprise-wide basis,” adding that “boards should expect management to be able to assess cyber-risk in empirical and economic terms consistent with the business plan.”
To that end, Stegmaier says investors—whether looking at their own process, vendors’ processes or doing diligence on a potential investment—should look for the formal adoption of a cybersecurity program; regularly benchmark that program; and look for adherence to specific standards like ISO/IEC 27001, which is an international standard to manage information security.
“You want to be able to look at the repeatability, sustainability and demonstrable stability of a cybersecurity program,” he says.
That framework should apply even if an allocator is just looking at becoming a limited partner in an investment fund, not making direct investments in specific companies.
“Often the way an asset manager approaches cybersecurity in their fund is a proxy for how they will do it downstream in portfolio companies or other investments,” Stegmaier explains.
Putting such processes in place can also help mitigate fiduciary risks.
“Perfect security doesn’t exist,” Stegmaier says. “So there is a tendency to focus on resiliency: How fast can we respond when something does happen? But if you do that, you’re going to build into your program an under-investment in prevention, detection and remediation response. You’re going to have many more incidents that are otherwise easily preventable. And from a legal perspective, there’s a much greater probability that your performance will be deemed inadequate.”
Tags: Cerulli Associates, cyber risk, Cybersecurity, data breach, Department of Labor, Gerry Stegmaier, Global PayTech Ventures, Internet Security Alliance, Jack Tamposi, KnowBe4, Larry Clinton, National Association of Corporate Directors, Perry Carpenter, Reed Smith, Securities and Exchange Commission, Special Coverage: Risk Management, The Pensions Regulator, The Retirement Clearinghouse