July 31, 2024
There is no shortage of uncertainty in our world. That said, two certainties that bear directly on the fortunes of pension funds—death and taxes—have always impacted the work of public pension administrators. Now we can add a third certainty to this list: the necessity of cybersecurity preparation.
According to a recent Forbes report, there were 2,365 cyberattacks last year, with about 350 million victims. That represented a 72% increase in incidents since 2021, the previous high water mark for cyberattacks. On average, each cyberattack costs about $4.5 million. The most typical occur by email, text or phone, with familiar vendors the most common targets—Microsoft, Amazon, Google, and Apple, to name a few. The risk is apparent. And literally as I write this, a massive cyberattack at AT&T is being reported.
In June, during the National Association of Pension Plan Attorneys’ 2024 Legal Education Conference, a panel of experienced pension fund lawyers and consultants offered some guidance regarding cyberattacks and how to prepare. The following draws from their advice.
First and foremost, educate yourself about the risks surrounding cyberattacks. From there, it is necessary to develop policies, some of which will be mandated by law and others specific
to your organization. Importantly, administrators must clearly and unambiguously specify the chain of command and roles for dealing with cyberattack issues, including an actual attack. Response protocols also must be detailed and unambiguous, so that intrusions are dealt with as quickly as possible. These processes must accommodate the many different aspects of responding to an incident; internal protocols, governing laws and regulations, notifications, and timing are among the important considerations. The development of these rules is not for the faint of heart, since they may implicate legal requirements, enterprise-wide function, beneficiaries, external constituencies, and vendors, as well as incur a variety of other risks.
Once the rules and protocols are in place, it is necessary to undertake regular training, especially for the personnel responsible for dealing with a cyberattack. Since attacks can emanate from anywhere within the enterprise, all personnel must be trained to recognize risks of a cyberattack that may target their own computers so that they can prevent the organization’s systems from being invaded or raise an alert with those responsible for responding to a cyberattack. The training should also include drills to ensure that any actual response is quick and direct. There also must be regular review of the policies, protocols and practices with appropriate revisions and updates, especially since the breadth of risks posed by a cyberattack are constantly evolving. Vigilance is a key component to ensuring up-to-date security.
Among the many aspects of policy, protocol, and practice to be addressed is the essential challenge of notifying those potentially affected by an incident. Applicable federal, state, local, and in some circumstances even international laws govern notification requirements for law enforcement and affected members and beneficiaries. Privacy laws, including HIPAA for health information, and SEC requirements, must be considered. You may have contractual provisions governing third parties and vendors—not only regarding their roles in direct cyberattacks on the pension system but also to incidents affecting those parties that could implicate system information.
Cybersecurity insurance may also be warranted. First and foremost, the insurance available for these attacks must be scrutinized for coverage, exclusions, and cost, but other factors also come into play when selecting a policy. This is another area of significant variation and evolution so, again, regular review will be necessary.
As any incident is likely to involve issues with legal counsel and advice, consideration of the role of the attorneys involved should be resolved early so that issues surrounding privilege and work product can be understood. Maintaining careful records is, as always, essential to establish fiduciary compliance, and consideration to record development and retention to avoid the risks attendant these kinds of crisis situations should be given early and fully. Data are valuable in today’s operating environment, meaning information not directly affected by any specific attack must also be protected, so informed assessment in these matters should be given.
This litany of approaches to deal with the risk of cyberattacks is meant merely as an introductory primer. Even from this approach, though, the risks inherent in the enterprise and the opportunities for missteps during responses, which can be hurried and erratic if not well conceived and planned, are evident, with concomitant negative effect on fiduciary duty. The use of experts, both internal and external, may well be warranted in order to minimize what is now inevitable: the risk of harm from cyberattack.