In the fight against cybercriminals, institutional investors and other financial organizations are managing cybersecurity just as seriously as any other type of business risk, with standards that can accommodate the integration of new practices and assessment tools.
“We’re finding that, pension plans included, enterprises more broadly are taking [cybersecurity] more seriously and putting in place governance plans and frameworks that deal with situations like these,” says Sandeep Kakan, board trustee and secretary at the Canada-Wide Industrial Pension Plan. “But there is still a lot of room to go.”
While awareness is increasing, no defence mechanism is infallible and a cultural change in the workplace is necessary for an effective cybersecurity strategy.
Criminal activities targeting organizations that hold an incredible amount of sensitive information, such as pension plan sponsors, are evolving at an unprecedented pace, leaving those in charge of cybersecurity to plan for both prevention and for the eventual day they’re hit with a cyberattack. The exploitation of weak security procedures and user errors have shined a spotlight on the vulnerabilities facing even the most technology-savvy organizations and the reality is their prevention tactics may still not end up being enough to thwart these evolving digital threats.
“If you look at the motivation of most attackers today, it’s financial — they’re looking to compromise an asset or take information that has value,” says Ryan Wilson, cybersecurity partner at EY Canada. “If you look at pension plans, obviously, they hold vast amounts of data on their plan members including sensitive information and financial assets as well that are in their control.”
Vulnerabilities concentrate in third-party gaps
The capability of a pension plan to maintain a rigorous internal cybersecurity program isn’t always enough to stay safe.
Indeed, the introduction of third-party services, such as consultants or financial administrators, can severely increase the risk level it faces, especially if the partner’s security measures don’t match those of the plan sponsor.
While plan sponsors have come a long way in their understanding of mitigating internal risks, they must now push further and increase their due diligence efforts to their business partners, says Peter Dewar, president at cybersecurity firm Linea Secure, adding it’s important that a plan sponsor goes through a risk assessment before putting its partners through a review. The results of this examination can help plan administrators build out or update their own cybersecurity governance.
A rigorous examination — both internally and for partners — includes actions like stress tests with system exploitation evaluations that seek vulnerabilities like erroneous configurations and major structural weaknesses. These tests are designed under the guidance of established risk management frameworks such as the International Standards Organization for Standardization, the U.S. National Institute of Standards and Technology and the European Defence Agency’s cybersecurity division.
Once a plan sponsor is clear on its own digital risk profile, it can then extend a third-party risk assessment to its partners, he says. The due diligence process involves the recruitment of a cybersecurity engineer or analyst who can conduct a thorough examination based on a structured set of questions to test the level of protection in place and flag any potential gaps in the existing system. The complexity of the test for third-party partners is determined by the type of data the partner handles and how much access it has to the plan sponsor’s information systems. For pension plan sponsors, this process is becoming as vital as any financial review, adds Dewar.
The results of the test are critical since it can lead to difficult decisions about the continued use of the services by a long-standing partner, says Wilson. “If [the third-party] can’t meet those minimum baselines or controls that [plan sponsors] expect to be in place, then in many cases they will either look to another vendor to provide similar services or walk away from the contract.”
Financial institutions recognize that targeted cyberattacks are becoming more frequent and sophisticated, said Stephane Menard, chief technology officer at Purpose Unlimited, in an emailed statement to Benefits Canada.
Cybersecurity compliance frameworks standards like Service Organization Control Type 2 and ISO/IEC 27001 and privacy controls from the NIST are valuable tools for any institutional investor in the early stages of a cybersecurity protection plan, he said, adding monitoring firms can offer managed detection and response services.
“These frameworks, if followed, ensure robust security practices. To validate dedication to safeguarding and maintaining a secure environment, commitment can be showcased through audit reports, certificates of compliance and transparent security statements.”
Regulators stressing accountability and compliance
In recent years, Canada’s pension industry regulators have focused on the threats posed by cybercriminals.
At the start of the year, the Office of the Superintendent of Financial Institutions’ Guideline B-13 came into effect, establishing a cybersecurity framework for federally regulated pension plans.
Recent cybersecurity policy changes reflect plan administrators’ duty to plan members even after outsourcing functions to third-party service providers, says Lauren Graham, an associate at Brown Mills Klinck Prezioso LLP, adding virtually all regulators are on board with immediate — typically within a 24-hour window — material risk cybersecurity incident reporting.
Read: CAPSA’s risk management guideline adaptable to changes in cybersecurity, ESG: webinar
“[The] general themes that we’re seeing across these policies [are] that regulators are cognizant [that the] steps plan administrators should take need to be commensurate with the size and complexity of the plan,” she says. “The policies that we’ve seen so far tend to be high levels principles based so that they’re scalable and can be scaled to be appropriate for an individual plan’s circumstances.”
However, it’s important that any future regulation accounts for the different level of resources available to plan sponsors of various sizes, says Kakan. The need to accommodate plan sponsors of all sizes is a focus of the Canadian Association of Pension Supervisory Authorities’ latest risk management guideline.
During a webinar last September, David Bartucci, head of pension regulations and regulatory effectiveness at the Financial Services Regulatory Authority of Ontario and a member of the CAPSA’s risk management committee, said the guideline accounts for proportionality so that it may serve any pension plan in Canada.
“We tried to be precise about the nuance between a plan sponsor and a plan administrator and use the appropriate term in context. We tried to strike the right balance between something that could be principles-based and administrators could sort of apply that guideline as appropriate in the context of their plan, without providing a list of expectations for all sponsors.”
Digital threats upgrade their approach
A successful cyberattack can put most investment organizations in a compromising position, where they might be forced to pay a ransom to continue operating or where the sensitive information of plan members — including first and last names, social insurance numbers, email addresses, phone numbers and potentially even some medical details — may be lost, which can then be used to target those users for financial gain.
These aren’t the actions of individual cybercriminals — rather, they’re sophisticated efforts taking place through online collectives that are constantly looking for new opportunities, says Dewar, adding the coronavirus pandemic caused an acceleration of targeted attacks on the unaddressed cybersecurity vulnerabilities of financial institutions.
Read: Cybersecurity concerns spark U.S. executive order blocking investments in Chinese tech
One of the latest developments is the use of artificial intelligence to push the limits of ‘dwell time,’ a concept used in cybersecurity prevention spaces to describe how long an attacker can exist within the network of an organization without being detected. While previous attacks were typically launched after a month of monitoring by a cybercriminal, AI can extend this dwell time to periods of 200 days or longer.
Generative AI — programs that can create new content like text and images based on cumulative data — is already being used to improve the quality and legitimate appearance of phishing emails so that targets won’t immediately dismiss or report the attack, said Mike Plantinga, vice-president and head of enterprise security and information technology at CIBC Mellon, in an emailed statement to Benefits Canada.
In even more extreme cases, generative AI can produce advanced code to design and spread malware across a system. It can also be used to manipulate existing audio and video files to create deepfakes that can trick a target into thinking they’re speaking with a colleague, even during a live call.
Financial institutions must implement “strong data privacy policies and robust cybersecurity measures” to stay ahead of the risks posed by generative AI, said Kate Tong, an analyst on the ESG research team at TD Global Investment Solutions, in a statement posted on the money manager’s website.
“Solutions include having trained internal staff act as an intermediary between direct model outputs and the customer [as well as] working to understand potential biases in the training data and address them in model design.”
Read: Risks of cybersecurity breaches top of mind for pension funds
Creating a response plan
When strengthening cybersecurity measures, investment organizations must also create a response plan in the event of a successful cyberattack.
The OSFI defines a cybersecurity incident as an event which has the potential to impact operations by compromising confidentiality, integrity or the availability of systems and information.
A response plan must consider the potential costs associated with repairing any compromised network systems in light of an attack, says Dewar, noting repair services can be expensive for a plan sponsor if it’s already in the middle of a crisis management situation. In addition, there can be significant costs associated with the investigation required to figure out exactly how the incident took place. A 2023 report by International Business Machines Corp. noted the global average cost of a data breach in 2023 was US$4.45 million, a 15 per cent increase over a three-year period.
The OSFI’s guidance says plan sponsors must notify the regulator of an incident taking place within a day of the discovery, including cyberattacks that disrupt a plan sponsor’s online services, a third-party breach, an extortion threat and a technology failure leading to services like a pension portal being taken down.
Key takeaways
• The consideration of evolving cybersecurity practices among pension plan sponsors is taking place at a time when the level of risk associated with new digital threats is increasing faster than ever.
• Plan sponsors have numerous cybersecurity vulnerabilities, including third-party partners. Security experts recommend a thorough examination of practices by any partner that has access to sensitive information.
• New regulations emphasize the responsibilities and accountabilities of pension plan sponsors in preventing and responding to digital threats.
Prevention tactics keeping pace
The systems that investment organizations rely on for their day-to-day operations are routinely inspected for vulnerabilities and improved through software upgrades or the use of new programs, says Dewar.
Improved safety mechanisms, such as advanced encryption methods, firewalls and two-factor authentication, are becoming more popular tactics to protect point-of-entry services like websites. A 2023 report by EY on the management of cybersecurity for pension plans noted websites and plan member portals were among the leading vulnerabilities in need of enhanced vigilance.
Read: Cybersecurity issues rank as top concern for risk managers: survey
One of the most common attacks that financial organizations encounter is phishing, a targeted attack disguised as legitimate messages via email, text messages or social media inquiries, leading the user to mistakenly click a compromising internet link under the guise of urgency.
This form of cyberattack, especially over email, is a priority for Randy Haug, senior vice-president of technology and information technology services management at the Colleges of Applied Arts and Technology’s pension plan. The CAAT enforces a rigorous cybersecurity training program for staff, including monthly scenario-based tests as well as annual reviews of cybersecurity practices and information management.
“It’s really important for us that they have an understanding of what the potential threats could be and the things to look for.”
Cloud services can also protect data by removing employee access when it’s no longer needed, said Plantinga. This tactic is used to protect data from well-intentioned employees who circumvent security controls to access data more easily. He described this event as one of the “less-addressed threat vectors” impacting plan sponsors today.
Unfortunately, technological innovations can also open the door to new weaknesses that plan sponsors will have to address. Security measures have to be considered whenever a large-scale digital innovation — like the use of cloud services for data management — is introduced, says Wilson.
“[The cloud is] introducing new vulnerabilities that [plan sponsors] may not have possibly considered in the past.”
Bryan McGovern is an associate editor at Benefits Canada and the Canadian Investment Review.
Download a PDF of the 2024 Top 40 Money Managers Report.