National Conference on Public Employee Retirement Systems

The Voice for Public Pensions


The Cyber Threats for Pension Funds

  • By: admin
  • On: 10/05/2023 16:13:38
  • In: News
  • Comments: 0
By: Steve Ross, Board Smart LLC

The combination of large amounts of personal information, money and small staffs make public employee pension funds especially vulnerable to cyberattacks. These funds, especially those with fewer IT-savvy employees, must protect themselves

This is an excerpt from NCPERS Summer 2023 issue of PERSist, originally published July 18, 2023.
Public employee pension funds are prime targets for cyberattacks.  Very few other enterprises have the combination of large amounts of personally identifiable information (PII), lots of money and relatively small staffs. Most financial institutions with assets the size of a typical pension fund have many more employees, particularly in Information Security. Hedge funds and private equity firms also have plentiful assets, but very little personal information, while companies with databases rich in PII rarely have as much money as pension funds do.

The recent cyberattack on a servicer to CalPERS and CalSTRS, America's two largest public employee pension funds, has exposed the PII of more than a million members and the reality of the threat to pension funds. And this was not an isolated incident. Attacks have been reported on systems in Oklahoma, Massachusetts, and Missouri, among other jurisdictions.

Public employee pension funds, especially those with fewer IT-savvy employees, must protect themselves. The first thing is to accept the potential danger and to train employees as to what they can do – and not do – to make their systems safer. Equally, boards should be educated as to the magnitude of the threat in their systems so that they can allocate adequate resources to prevent and detect cyberattacks and to build resilience should an attack occur.

Every fund that runs its own systems, whether on their premises or in the cloud, should implement at least a baseline cybersecurity program. The Employee Benefits Security Administration (EBSA) Cybersecurity Program Best Practices lists twelve measures that range from the general (“Have a formal, well-documented cybersecurity program.”) to the rather specific (“Encrypt sensitive data, stored and in transit.”) Every pension fund should be aware of this guidance, even if they feel they cannot afford to adhere to all its requirements. Those funds that outsource benefits administration, investments or both should ensure that their service providers follow EBSA's practices.

In terms of information security technology, every pension fund's systems should be equipped, at a minimum, with up-to-date firewalls (also known as next generation firewalls), intrusion detection and prevention software and, of course, encryption. Equally important is to have round-the-clock monitoring of information systems applications and infrastructure to detect attempted attacks, or worse, successful ones. There needs to be an incident response capability so that malware can be removed before it causes too much damage. Finally, every pension fund should have a plan for how they will continue to serve members and annuitants if a cyberattack does bring down their critical systems.

All of these technical and organizational measures require people to implement, administer and maintain them. Often, this is the limiting factor for adoption of best practices, especially for smaller funds. There are outsourced services known as Managed Security Service Providers (MSSP) that can fill the gap. They can bring the expertise, resources and technology that these funds either lack or cannot afford.

However, if a public employee pension fund chooses to address the issue of cybersecurity, it must accept the reality that this is not a one-time investment. Each advance in information technology has been accompanied by bad guys (a technical term) who attempt to exploit the vulnerabilities that are introduced. This will go on for the foreseeable future.

About the Author:

Steven Ross is Senior Advisor at Funston Advisory Services and holds certification as a Certified Information Systems Security Professional (CISSP) as well as a Master Business Continuity Professional (MBCP), a Certified Information Systems Auditor (CISA) and a Certified Data Privacy Solutions Engineer (CDPSE). Mr. Ross is a specialist in the field of information systems security and control, specializing in Information Security, Business Continuity Management, Data Privacy and IT Disaster Recovery Planning services. He has implemented Information Security programs for numerous pension funds, banks, government agencies and industrial corporations. Prior to joining Funston Advisory Services, Mr. Ross was a Director and global practice leader with Deloitte. 

In consulting engagements, he specializes in planning, policy development, implementation, and standardization of Information Security processes.  In recent years, his focus has been on reliability, prevention, detection and recovery from the technical and business impact of cyberattacks. 


There have been no comments made on this article. Why not be the first and add your own comment using the form below.

Leave a comment

Please complete the form below to submit a comment on this article. A valid email address is required to submit a comment though it will not be displayed on the site.

HTML has been disabled but if you wish to add any hyperlinks or text formatting you can use any of the following codes: [B]bold text[/B], [I]italic text[/I], [U]underlined text[/U], [S]strike through text[/S], [URL][/URL], [URL=http//]your text[/URL]