This article originally appeared on Benefits and Pensions Monitor. Read the story here.

'You're going to be so much better prepared for how you handle that situation if you're able to tell the story your way,’ says data breach lawyer

For pension plan administrators, cyber threats are no longer a matter of “if,” but “when.” With phishing attacks and ransomware becoming more common and more damaging, the risk to plan member data is growing rapidly.

As Canadian pension plan sponsors, administrators, trustees, asset managers and other retirement income system leaders gathered at the Halifax Convention Centre for the Association of Canadian Pension Management (ACPM)’s annual national two-day conference on Thursday, Kim Schreader and Matt Saunders came together to break down the risks and defenses plan sponsors can adopt to protect plan member data and manage third-party vulnerabilities.

Both speakers in the workshop session emphasized the threat environment has evolved dramatically.

“Cybersecurity is a fairly new concept... but it is rapidly evolving. That’s what makes it feel scarier, the pace of change,” said Schreader, director of cybersecurity professional services at TELUS, noting organizations have been forced to digitize quickly, especially after COVID-19, and that’s left gaping holes in infrastructure, policy, and awareness.

She underscored this lack of maturity is compounded by fast-moving technological change. Organizations have since adopted cloud services, remote work models, and digital member portals at an accelerated pace, all of which introduce more complexity and risk.

“There is a resource shortage and there is a knowledge gap,” she added. “There is not enough people to address all the challenges and the organizational needs of the companies as they try to understand where they are. This was largely considered an IT thing 40 years ago, and now cybersecurity is really its own domain. There's more pressure on budgets. While we've heard a lot about different economic pressures over the last couple days, those are equally apparent in a cyber budget, particularly if an organization doesn't understand its risk, or doesn't believe in its risk. It's then really hard to get money, so we're now competing for resources again.”

Another complicating factor is the boardroom perception of cybersecurity as a cost centre. Boards tend to focus on the financial bottom line, and unless security incidents are seen as business risks, not just IT problems, funding remains difficult to secure.

Schreader also pushed back against a common misconception: that small and mid-sized organizations aren’t targets. However, threat actors go after everyone because mid-market firms lack the resources to recover quickly.

“Sixty percent of small to medium businesses that suffer an attack usually have to close their doors within six months,” she added. “While there's a larger payoff in enterprise, it is much, much harder for a small and medium business to recover from a breach.”

While the cost of a breach for mid-sized businesses averages around $100,000, it can climb into the millions for enterprises. For pensions, Schreader emphasized that it’s not a matter of if employers and plan sponsors will have a breach but when.

Matt Saunders, counsel at Borden Ladner Gervais, who also serves as breach coach for clients facing ransomware attacks, highlighted a reality of what a worst-case scenario can look like, underscoring that preparation is what makes the difference between a manageable incident and a full-blown crisis.

Reflecting on a real-world case that impacted pensioners in the UK, Saunders described how a single vulnerability led to the exposure of sensitive information for thousands of individuals. But the technical breach wasn’t the only problem.

“The vulnerability was within the system of the organization; the result was thousands of individuals impacted at an extreme cost from a response side of things,” noted Saunders. “The bigger issue, though, in my mind, was how the communications part of the response was derailed. When you’re hit with a cyber attack, it could be a ransomware incident, it could be a business email compromise. It might be somebody who's lost their laptop and they forgot to put their password on it… All of these things can raise crisis communications issues, and you're going to be so much better prepared for how you handle that situation if you're able to tell the story your way.”

He pressed pension administrators to take a hard look at the kinds of data they hold and the need to align data retention policies with the actual sensitivity and volume of personal information organizations hold.

 “Where is that data? Who has access to that data? How is that access tracked?” These questions, he added, need to be answered before the breach call comes in and not in the middle or after. If those systems are misaligned, organizations increase their exposure unnecessarily, he said.

He also stressed the importance of having a flexible, pre-built notification strategy. Whether the breach is minor or catastrophic, organizations need to be able to respond quickly.

Finally, Saunders returned to a recurring theme: human error. He noted that many cyber incidents begin with an employee clicking the wrong link or visiting a compromised site.

He encouraged organizations to begin their cybersecurity readiness efforts by taking stock of what they already have in place as most plan sponsors likely have an emergency response or business continuity plan that can serve as a starting point.

He also suggested that teams begin with a gap assessment: identify existing policies, determine what’s missing, and then prioritize improvements. For those starting from scratch, Saunders emphasized the importance of assembling the right people early, even if individuals are wearing multiple hats.

Whether it’s someone in IT, HR, legal, or communications, bringing the right internal stakeholders to the table is a critical first step, he said.

“You don’t need to reinvent the wheel. Starting from a foundation that already exists is so much better but you’ve got to find it first. That holistic approach is going to provide your organization with benefits, not just from a response perspective, but also reduce liability down the road,” said Saunders.

“Don’t be scared. If you're literally starting a cyber program today, that's okay. It's better than starting it tomorrow, or never doing it at all,” he added.