"Attention all trustees and board directors. This is not a drill. We are experiencing a cyber incident. Please proceed to your designated emergency stations. We repeat, this is not a drill."
One would have to be living in a pretty big cave or deep in some rainforest miles from good Wi-Fi not to realize that cyberattacks represent one of the most significant risks facing modern society. Not a day goes by where, somewhere in the world, an organization joins the growing list of victims of cybercriminals motivated by money, fame or political agendas.
While the call to arms for pension plans, third-party administrators, asset managers and consultants has been raised for years now, can anyone comfortably say the pension industry has taken big steps to address cyberattacks and data theft — risks the World Economic Forum's 2018 Global Risks Report ranked third and fourth in likelihood to occur?
Here are actions designed specifically for trustees and board directors (e.g., fiduciaries) of plans as well as the executives responsible for the day-to-day management of the trillions of dollars of retirement capital. The list is only partial but does represent the key foundations of effective oversight of this complex and daunting challenge facing fiduciaries and their management teams.
Fiduciaries need to get outside of their comfort zones and take these steps:
1. Develop knowledge of the language of cyberrisk;
2. Understand the nature of plan/fund digital assets; and
3. Comprehend the cyberrisk management strategy proposed by executive leadership.
Developing a command of one common vocabulary is critical to the clarity of the conversation between fiduciaries and executive leadership. This means fiduciaries and management have a common understanding of the important words used in information security. But it does not mean fiduciaries have to become "tech heads" and start reading Wired magazine, though it does mean they all need to understand the key initiatives described by the chief information security officer or other security staff when presented.
A common vocabulary helps demystify the jargon and present the information in intuitive, layman's terms. That will enable everyone to understand that "initiating an end-point tool" broadly translates into installing some kind of software on every electronic device authorized to have access to the organization's information or "digital assets." Digital assets means information that now resides in electronic as opposed to paper form. That said, regardless of how long or short the vocabulary list is, developing one dictionary is critical for meaningful and informed conversations and decisions.
Once a common vocabulary has been established (and continues to be built upon) fiduciaries need to understand the nature of the digital assets that have the greatest value to stakeholders. In order to develop this understanding, fiduciaries need to ask these questions:
- What are the most important digital assets of the plan? For example, personally identifiable information, details of the investment strategy and/or proposed transactions in non-public investments.
- What is the process that management uses to segment and rank in importance the digital assets in the plan?
- Who has access to this information, why do they have access and how is the use of this information monitored?
- What information security tools, practices and processes are in place to ensure key digital assets are secure?
Building on the knowledge of what the most important digital assets of the plan are provides the context for fiduciaries to evaluate the organization's cyberrisk management strategy.
Alas, evaluating the plan's cyberrisk management strategy is fraught with challenges.
Fiduciaries and executives should realize very few institutions have the capital to address all cyberrisk exposures (save perhaps the military or intelligence agencies). Therefore, the evaluation process should reflect a rigorous and disciplined prioritization theme that deploys the majority of the limited financial and operational resources to protecting the most important digital assets with the remaining portion spent on the incident-response plan.
By taking this approach, an organization can avoid taking a whack-a-mole approach in which resources are spent on the most noticeable vulnerability with insufficient regard to whether the investment reduces the risk posed to the most important digital assets of the plan. Extending the games metaphor crudely, organizations need to avoid using a ring-toss strategy in which actions and money is spent on those activities that have the highest chance of success (i.e., the bottles close to you) as opposed to throwing the ring at the bottle that has the most desirable prize.
Of course, a great deal of responsibility for responding to cyberrisk rests with executive leadership. Here are three recommended steps to take now:
1. Identify a senior executive who is directly responsible for leading the first two of the three action steps listed previously. Do not seek perfection; it is unattainable due to the rapidly evolving nature of technology as well as the type of risks that come with so many innovations. Aim for 80% and call it a day, and be comfortable communicating to fiduciaries that it is better to take action based on good plans than it is to stand still endlessly seeking the perfect plan. One good test of the robustness of the cyberrisk management strategy would be to have a third party perform an independent analysis. Consider recommending the board hire its own reviewer to add a greater level of independence.
2. Be sure your cyberrisk strategy contains an incident response plan that will be run frequently (three times a year, unannounced). Robust IRPs are those that are rehearsed and continually improved based on the outputs of each session. In addition, IRPs provide the board with clear and unambiguous evidence to defend its members and the organization from potential litigation risk that will arise after a cyber event.
3. Most importantly, do not view the creation of an effective cyberrisk strategy strictly as a risk/internal audit/compliance task. Addressing the cyberrisk threat is very different from most risks that appear in a traditional risk inventory. Cyber events can be both highly likely and highly impactful to any organization, and will result in an immediate loss of faith and trust by stakeholders.
It is better to think about your cyberrisk management strategy in the same terms you think about how you protect the sanctity of your home. Most of us lock the doors when we leave, engage security systems and hang a big sign on the backyard gate that says "beware of large dog." Taking these steps does not make our homes impenetrable to any motivated burglar. These steps do, however, distinguish our house from the one down the street that has none of the same features, which in the eyes of a thief makes the decision to attempt a break-in a proverbial no-brainer.
The dark side of boardroom behavior
To be clear, fiduciaries have a clear and specific responsibility to understand how the executive leadership responds to the wide range of key risks that pose a threat to the sustainability of the plan. There is little debate on this responsibility. That said, this area of inquiry is not pursued as actively as it should be due in part to these factors:
Fiduciaries who feel they do not have the capability to understand and effectively evaluate the answer to the previous questions will be reluctant to ask them. Similar to my experience of learning three dozen words of Spanish online allowing me to ask "what is the name of your dog?" I am no way planning on using my newfound skill with a native Spanish speaker who wants to tell me his dog ran away last week and ask would I help him canvass the neighborhood.
Also, possessing suspicions is more defensible than actually knowing facts — if questions are asked and answers are given, then the onus of understanding and approval falls on those who asked the questions. This is akin to a "don't ask and I won't tell" strategy. I am pretty sure I would not want to use this strategy when required to participate in a legal deposition.
Lastly, there is a myth that permeates some boardrooms that "we" would not be a victim because there are "bigger targets than us." While I am reasonably sure this is not the conversation at one of the big banks, defense contractors or government agencies, I have heard it more than once in quiet conversations in the pension industry. This is a dangerous argument that is based solely on the hope that cybercriminals will choose "someone else." This argument falls completely apart by the fact that a significant proportion of cyberattacks are not executed by humans but by machines that relentlessly troll websites and internet traffic, scanning for opportunities to upload malicious software based solely on the vulnerability and not on the size of the bank account.
Lloyd Komori is managing director of his own Toronto-based consulting firm focused on risk management, governance and cybersecurity. This article represents the views of the author. It was submitted and edited under Pensions & Investments guidelines but is not a product of P&I's editorial team.