Contending with the intensity and frequency of cyber threats to business operations is a 24/7/365 challenge. While the banking sector has intensified its cyber defences, threat actors have set their sights on the retirement industry.
Not only is the financial quantum at risk huge, but the wealth and sensitivity of personal data sitting within retirement funds places the employers, administrators and trustees of retirement plans at significant risk in an environment that is increasingly litigious.
The retirement industry is governed by a strict set of fiduciary responsibilities when it comes to the administration of personal and financial data. On the one end of the spectrum the industry needs to remain compliant with regulations set out by the Protection of Personal Information Act (POPIA), while on the other end of the spectrum, addressing the demand for digital capabilities such as online access to funds and records, which increases their exposure to cyber threats.
According to Aon’s 2021 Cyber Security Risk Report, tougher decisions need to be made in an increasingly complex environment where the continuous rush to transform has organisations playing catch-up in the cyber security game.
Reducing cyber risk across an ecosystem
Addressing the cyber risks that retirement funds face requires working across the entire ecosystem of the value chain which includes administrators, technology, legal and human resources teams, along with any third-party contractors and clients themselves.
“The space where the retirement fund and technology meet, creates a complicated playing field where the inherent responsibilities of IT, finance and HR operations overlap. It needs these groups to rally around a common goal that focuses on keeping cyber security risk front and centre, especially as it relates to the sensitive nature of the information retirement funds are custodians of,” says Zamani Ngidi, cyber solutions client manager at Aon South Africa.
Aon’s 2021 Cyber Security Risk Report outlines four major areas for retirement plan administrators to consider in order to balance risk and opportunity through better decisions:
• * Navigate new exposures – Rapid digital evolution: The continued drive towards innovation, for example the Internet of Things (IoT), Internet of Bodies (IoB), and Smart City initiatives, will continue to pose yet more cyber risk. Operating in this environment, organisations are called on to weigh the projected benefits of a digital agenda against the cyber risk introduced by adopting new technologies or business models. As part of an enterprise-wide approach, it is essential to identify the cyber risks and threats; mitigate risks as appropriate through best cyber security practices; prepare and be ready for incidents; and consider which part of the risk to transfer off the balance sheet through insurance, and then scrutinise current and available policies to ensure new risks are covered.
• * Know your partners – Third-party risk: It is crucial to evaluate the cyber risks arising from supply chains in new ways and with heightened concern as it takes just one undefended back door to compromise a business’ information integrity. Explore key risks arising from supply chains, map them to key cyber security controls and determine actions your organisation can take to close the cyber security gaps. Social engineering continues to be a top method for cyberattacks, which is why it is important for all players in the retirement plan administrative ecosystem to educate staff members on basic cyber security awareness.
• * Concentrate on controls – Ransomware: Ransomware is no longer confined to the simple model of ‘pay to decrypt’ as data may be extorted, breached, or even erased. With 24% of South African companies having experienced a ransomware attack in the last year according to findings in the Sophos’ State of Ransomware 2021 white paper, significant business interruption is highly likely. It is critical to take steps to reduce your organisation’s exposure footprint and minimise the impact of data infiltration. A good place to start would be to engage with qualified cyber security professionals who will be able to identify vulnerabilities, stress test security measures in place, establish business continuity plans and assist with breach response.
• * Perfect the basics – Regulation: The Protection of Personal Information Act (POPIA) came into effect on 1 July 2020 in South Africa, making it essential for businesses to process personal information in line with regulations. According to Aon South Africa’s Insurance and Data Privacy report, even a retirement plan administrator needs to be aware of and co-ordinate the appropriate steps to mitigate the impact of POPIA on its day-to-day business activities.
“Data processing is becoming a litigious minefield with a swath of global data privacy laws adding to the fray, such as the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and Brazil’s General Data Protection Act, Lei Geral de Proteção de Dados (LGPD) along with POPIA. It is creating greater awareness of the financial impact of cyber risk as well as emphasising the need for organisations to increase its understanding of cyber insurance,” says Zamani.
Protecting data and assets
“The retirement industry is striving to diversify its product offering while optimising investment strategies, which converges with the need to protect data. Making informed decisions in this space requires concrete data and analytics from a seasoned cyber risk expert in the field, who will be able to aid you in taking the necessary steps to protect information assets and data, whilst holding business partners and suppliers to similar standards, in order to mitigate any supply chain risk,” concludes Zamani.