Navigating Inherent Risk: A Guide to Cyber Risk Management for Pension Funds
By: Peter Dewar & Joe Potischman, Linea Secure
Pension funds are fundamentally exposed to risk because of their business processes. Understanding the nuances of how your fund operates is crucial to recognizing the cyber risks related to your services offered.
This is an excerpt from NCPERS Summer 2023 issue of PERSist, originally published July 18, 2023.
Pension funds are fundamentally exposed to risk because of their business processes. This unavoidable exposure – or “inherent risk" – applies to all funds regardless of size. Understanding the nuances of how your fund operates is crucial to recognizing the cyber risks related to your services offered.
For instance, financial transactions and the handling of personally identifiable information constitute significant aspects of many organizations, and both bring with them inherent risks. If we examine a pension fund for example that provides services to active contributors and retired individuals, a broad spectrum of risk is dispersed across the entity.
Pension funds are usually recommended or required to conduct an annual actuarial assessment. This exercise involves meticulous scrutiny of various components like contributions, membership composition, and investment returns to determine funding levels. As pension funds supply this information to the actuary, they also inherit the third-party risk based on the actuary's risk mitigation capabilities.
Similarly, pension funds that deal with investment managers are exposed to third-party cyber risk. If these investment managers lack strong cyber controls, assets could inadvertently end up in the hands of threat actors (as we have written about in detail here). Likewise, providing member self-services, such as allowing members and annuitants to access information electronically, apply for loans, or update beneficiaries, could also expose organizations to cyber threats.
So, how can pension funds effectively manage this risk?
Watching the news and worrying or reacting to the latest security breach is not a preventative risk management strategy. Instead, developing a comprehensive risk management and mitigation approach is a more proactive solution. This process begins with a detailed risk assessment to determine the current likelihood of threats based on an organization's policies and operational activities.
Next, pension funds should evaluate potential mitigation strategies. These could include implementing risk management controls that are aligned with recognized risk management standards, transferring risk to other organizations either through insurance or another means, or avoiding certain risks altogether. For example, opting not to offer a service such as refunds through a member self-service portal that exposes the organization to risk, unless a mitigation strategy is in place such as strong identity management capabilities.
After risk assessment and mitigation, the following critical step is continuous risk management. This ongoing process involves regularly reviewing and updating risk management strategies and practices, reflecting evolving threats and organizational changes.
Understanding your fund's inherent risk and cyber threats associated with its operations is vital. However, merely understanding isn't enough. Implementing a holistic risk management approach, which includes risk assessment, risk mitigation, and continuous cybersecurity governance, is essential to navigating the terrain of inherent risk. Remember, the goal is not to eliminate all risk – an impossible task – but to manage it effectively, maintaining a balance between security and operational effectiveness.
Peter Dewar has over 25 years of experience in cybersecurity and leads the cybersecurity practice for the Linea group of companies that provide services across the United States and Canada. Under his leadership Linea has developed a Pension Cyber Security Framework (PCSF) to complement the generalized standards for protecting information systems. The PCSF focuses on the business process employed, services provided, and technology utilized by pension and benefits organizations, and devises controls to minimize and mitigate the inherent cybersecurity risk experienced by the industry.
Peter has a Master's degree in Information Systems from the George Washington University, a Bachelor's degree in Information Systems from the University of the District of Columbia, is a Certified Information Systems Security Professional (CISSP), Certified Data Privacy Security Engineer (CDPSE), and has received certificates of achievements from the Harvard Kennedy School of Government, Gartner CIO Academy, and International Foundation of Employee Benefit Plans.
Joe Potischman is the marketing specialist for Linea Secure with over 5 years of experience in the professional services industry. With his work, Linea has been able to present at over 15 separate engagements and has been published by multiple pension and benefit associations.
Joe has a Master's degree in Communication, Culture & Technology from Georgetown University. He has also received a Certificate of Achievement in Public Plan Policy from the International Foundation of Employee Benefit Plans (IFEBP). Prior to working for Linea, he managed, CommLawBlog, an award-winning blog on Communications Law & Policy.