Cybercriminals must have huge smiles on their faces when they think about the significant assets and personal data held by Canadian pension plans. As the frequency and sophistication of cybercrime surges in an environment where plan sponsors increasingly rely on ever-changing technology to keep assets safe and protect member interests, it’s not surprising that cyber security has moved to the top of many plan sponsors’ priority lists. 

Recognizing a growing problem

The numbers speak for themselves. Canada’s financial services industry experienced one of the highest cyber-attack rates globally in 2022—second only to Latin America.1  The seriousness of the situation is reflected in the Office of the Superintendent of Financial Institutions’ Annual Risk Outlook for 2023-24,2 which highlights cyber as one of the top risk factors and notes that “evolving technology, combined with greater dependence on third-party technology providers, have increased both the attack surface and cyber risk.” 

Exercising the plan sponsor’s fiduciary duty

The risks associated with cybercrime are significant, ranging from financial loss and disruption of operations to negative impact on a plan’s reputation and fund performance. Traditional tactics used by cybercriminals include:

• Phishing emails that trick retirees into inadvertently revealing access information as part of a hacking attempt
• Purchase of personal information by cyber thieves through the dark web 
• Use of ransomware for extortion purposes as was the case with a Canadian plan sponsor several years ago

More recently, cybercriminals have been employing artificial intelligence (AI) applications that involve “deepfakes” (a combination of “deep learning” and “fake media”), as well as AI-assisted password cracking and hacking, to achieve their nefarious objectives.3

Faced with an increasingly challenging environment, plan sponsors have a fiduciary responsibility to implement an effective cyber resiliency plan and well-defined crisis management approach that will guide the way forward.

Building a sound cyber resiliency plan

Advance preparation is key to effective cyber risk management, including a well-thought-out approach that aligns with the pension plan’s overall risk management framework that includes several components:

• Fostering a cyber culture across the organization through employee training on a wide range of topics such as password creation, social media etiquette and the identification of suspicious emails
• Centrally managing software to avoid the potential for ransomware attacks from fake software updates
• Implementing multifactor authentication protocols for additional security around frequently-accessed accounts
• Conducting regular data backups to facilitate timely business recovery following a system crash or data theft
• Frequently reviewing the pension sponsor’s cyber plan to ensure that it reflects the current environment

It is also essential to imbed cyber risk as a key consideration in the selection of third-party service providers such as investment managers and asset servicers—two groups to which plan sponsors outsource a significant amount of work.  Important questions to ask external providers and incorporate into RFPs are:  

• Do the third parties have a cyber resiliency plan that holds them to the same standards that govern the plan sponsor’s own approach to safeguarding systems and member assets?
• Do they have a risk policy that requires security testing of internet-facing applications regularly?
• Do they have documented timelines for remediating application security vulnerabilities? 
• Do they have a well-defined process to advise the plan sponsor of a cyber incident, and its potential impact on members and their assets?
• Will they provide regular updates that enable the plan sponsor to monitor the third party’s cyber management capabilities on an ongoing basis?

While not an exhaustive list, each of these activities will help the plan sponsor build a cyber-resilient organization, significantly reducing the ability of cybercriminals to disrupt operations.

Tailoring the crisis management response

Even the most stringent cyber risk management protocols and the highest level of resilience are unlikely to prevent each and every cyberattack. This makes the pension plan’s responses to these attacks extremely critical. 

Upon detection of an incident, it is important to act quickly as part of a sound, pre-planned crisis management framework that facilitates resumption of normal operations as swiftly and safely as possible. Such a framework typically covers a multitude of different scenarios and answers four key quesitons:4

1. What are the roles and responsibilities of the incident response team, including third parties?
2. What resources will be required to investigate the incident and maintain critical functions?
3. How and when will board members and trustees be notified of the situation?
4. How and when will regulators, law enforcement agencies, third parties and plan members be notified and what information will be disclosed?

The crisis management plan, tailored to the unique requirements of different cyber incident scenarios and tested on a regular basis, will provide details of each step to handle the potential incidents—from initial detection to final resolution.

Minimizing risk and managing fall-out

Cyberattacks are a key risk for pension plans of all stripes. Increasingly complex and ever-evolving threats require constant vigilance on the part of plan administrators as they look to deliver on their fiduciary duties and build cyber-resilient organizations. Protecting the assets and personal information of plan members is central to this role, including a comprehensive strategy for responding to and reporting on potential cyber scenarios—a plan that has undergone extensive testing and encompasses third-party providers.

While no amount of preparation will guarantee full protection against cyberattacks, a proactive, targeted approach will minimize the inherent risk and help manage fall-out from cyber events. This will provide plan members with the assurance that their future is in safe hands—and wipe smiles off the faces of those evil cybercriminals.

^{1 LexisNexis, Risk Solutions Cybercrime Report 2022, August 15, 2023}

^{2 Office of the Superintendent of Financial Institutions, Annual Risk Outlook, April 18, 2023}

^{3 Forbes, AI and Cybercrime Unleash a New era of Menacing Threats, June 23, 2023}

^{4 Canadian Association of Pension Supervisory Authorities, Cyber Risk for Pension Plans, June 9, 2022}