Cybersecurity: Protecting your retirement system from hidden threats

As cyberthreats become increasingly sophisticated, public retirement systems face a daunting challenge to protect their members’ vital data. While IT and operations teams are the primary defenders against cyberthreats, it’s imperative for boards of trustees, CEOs, and CFOs to recognize and assume responsibility for the strategic side of cybersecurity measures. Why? Safeguarding sensitive data such as Social Security numbers, payroll information, and bank account details transcends technical concerns — it’s a core component of a leader’s fiduciary duty. This leads to an often-heard question: Is our cybersecurity strategy advancing rapidly enough to keep pace with evolving threats? The urgency for decisive action has never been greater.

The strategic imperative of cybersecurity in public retirement systems

The strategy of cybersecurity extends far beyond technical concerns alone. Breaches can result in significant financial losses, severe legal consequences, and a profound loss of trust among members. Remember this: the question is not if your system will be targeted, but when. As an organization and as a leader, you must be prepared to respond effectively. It’s incumbent on you to take the helm in the fight against cyberthreats by prioritizing cybersecurity, demonstrating a commitment to safeguarding your members’ financial futures, and shouldering your fiduciary responsibilities.

From strategy to action: Engaging with control owners 

While a strategic understanding of cybersecurity is essential, it’s equally important that this is translated into actionable steps. This starts with actively engaging process and control owners — the individuals and teams responsible for operational effectiveness and control over specific security measures and processes within your organization. They’ll provide critical insights into your current cybersecurity posture — the necessary first step in ensuring your cybersecurity defenses are robust and effective. During this process, there are five key areas you should focus on.

1. Risk management practices

Understanding and overseeing risk management practices is fundamental to cybersecurity leadership. This requires regular and comprehensive risk assessments to identify vulnerabilities across all operational areas. The assessments should be thorough and systematic, leaving no risk undetected. If your current assessments are infrequent or superficial, schedule more regular and in-depth evaluations. Consider engaging external experts to provide an independent and detailed assessment of your organization’s cybersecurity posture.

Prioritize the risks. Effective risk prioritization ensures that your most critical vulnerabilities will be addressed first and helps to optimize resource allocation and mitigate potential threats most efficiently. Your board should review and approve the criteria used for risk prioritization and ensure it aligns with the latest threat intelligence and your organization’s strategic objectives.

It can’t be stated strongly enough: understanding and acting on the insights from risk management activities helps your organization’s leaders make informed decisions, allocate resources effectively, and implement targeted security measures. By being proactive, you’re taking a decisive leadership role in fortifying cybersecurity defenses by transforming risk management data into actionable strategies.

2. Data security measures

When it comes to data security, it’s essential that leaders know where data is stored and what security protocols are in place to protect it — a fundamental first step to protecting sensitive information. If gaps are present, it’s crucial to immediately implement necessary protocols such as encryption, active monitoring, prevention, and access controls. In some cases, migrating to more secure storage solutions may be necessary.

It's also important to understand and control who has access to your organization’s data. To reduce the risk of internal breaches, stringent access controls are essential to limit data exposure to authorized personnel only. Regular reviews and adjustments of access permissions should be a standard practice. As a leader, you’re responsible to ensure these reviews are conducted systematically and that access policies are updated according to evolving threats.

Having a robust data breach response plan in place should be a high priority. Quick and decisive action helps mitigate damage and maintain trust among stakeholders. A strong plan along with strict attention to all regulatory compliance requirements will maximize your organization’s strength against cyberthreats. If your current plan is inadequate, it’s imperative that you develop a comprehensive data breach response plan. The plan should include regular drills to ensure that everyone knows their role and can act quickly during an incident. Boards, CFOs, and CEOs should oversee these drills and review the response plan regularly to ensure effectiveness and alignment with best practices.

3. Security of financial transactions

Maintaining the integrity of your organization’s payment cycle is vital to preventing fraud and errors. Ensure proper segregation of duties to mitigate fraud risks, and complement this with regular internal and external audits to verify that payments are disbursed accurately and to the correct individuals. This oversight should extend to stringent verification procedures for changing bank account deposit information or beneficiaries. These essential measures must be enforced consistently and not merely treated as audit checkboxes.

Use detailed audit trails and advanced technologies like machine learning tools to help detect anomalies. These methods can significantly enhance fraud detection capabilities and help you stay ahead of sophisticated fraud schemes. And augmenting the technologies with continuous monitoring and real-time analysis will bolster your ability to swiftly identify and address suspicious activities.

As a leader, you should actively oversee these processes, verify that audit recommendations are implemented, and ensure transaction security measures are continuously updated to address emerging threats.

4. Operational resilience

A high level of operational resilience ensures that your retirement system can continue to function effectively in the face of cyber incidents like ransomware. Prioritize measures that keep critical systems available during disruptions. Prepare detailed disaster recovery and incident response plans and conduct regular tests to ensure their integrity. These efforts should include your organization’s third-party data hosting and cloud services providers.

Education plays a key role in resilience. Regular training on phishing and social engineering threats is critical. Training programs must be robust and continuously updated to address new and evolving threats. Leaders should ensure that training isn’t a one-time event, but an ongoing effort supported by a culture of continuous learning and vigilance.

The growing reliance on third-party vendors and the subsequent cyberattacks on these organizations underscore the need to monitor and mitigate these external risks in order to minimize vulnerabilities in your organization. Managing this risk requires a rigorous assessment of each third-party vendor’s security controls, clear contractual provisions around liability, and planning that takes into account the operational, legal, and financial implications of a breach. At a minimum, ensure your vendors provide SOC reports or other compliance documentation that offers insight into their security programs.

Implementing “immutable backups” — backups of your data that can’t be altered or deleted — can provide a reliable recovery option in the event of ransomware attacks or data corruption. Regular testing of these backups is important to ensure they’re effective and can be relied upon during an incident.

5. Upholding your fiduciary responsibility

As a board member or executive, cybersecurity is a key component of your fiduciary duty to retirement system members. The duty encompasses an understanding of cybersecurity risks and actively managing them to ensure comprehensive protection for the organization. This means you should view cybersecurity as a strategic issue (not just an IT matter) and ensure clear communication strategies are in place to keep members across the organization informed about security measures and emerging threats.

Regulatory compliance is a nonnegotiable part of fiduciary responsibility. But compliance is just the beginning; it should be a baseline that’s supported by regular audits that ensure ongoing adherence to required standards. Adopting standards for cybersecurity excellence that go beyond mere compliance demonstrates a strong commitment to exceptional stewardship and member protection.

As mentioned previously, continuous cybersecurity training for all staff and board members helps ensure everyone is aware of the latest threats and best practices. But this training should be backed up with clear, easy-to-use reporting channels for staff to report suspected security incidents quickly and effectively to help enable swift action by your response team. These channels should be well-publicized and become integrated into your organization’s culture.

Looking ahead: The challenge of staying proactive

As retirement systems continue the march into the digital age, it’s critical to stay ahead of emerging trends and technologies. Cybersecurity is no longer a theoretical or distant threat — it’s a pressing issue that demands your attention today. Artificial intelligence, blockchain, and advanced encryption methods hold promise for enhancing security but they also present new challenges.

The stakes are high, but by adopting a comprehensive, forward-thinking approach, embracing innovation, and maintaining a proactive stance, your retirement system can continue to protect its valuable assets and maintain the trust of its members. But the question remains: Are you, as leaders, ready to meet the future head-on?