Pension plan administrators and their service providers are increasingly relying on technology for asset management, and personal and confidential data collection, making them potential targets for cyber attacks.
On November 29, 2022, FSRA hosted a webinar on cyber security and pension plans. The webinar supported the sector's understanding of:
- current cyber security practices in the pensions sector
- insights and strategies to safeguard plan assets and data against cyber attacks
- what to do in case of a cyber attack
Over 280 attendees participated in the webinar and had the opportunity to ask questions directly to our FSRA team.
Cyber Security Webinar
Date: November 29, 2022
Presenters: Caroline Blouin, David Bartucci, Ted Harman and Ryan Wilson
Caroline Blouin
00:02 Hi. Good afternoon and welcome, everyone. Bonjour. My name is Caroline Blouin, and I'm the EVP of pensions at FSRA. It's wonderful to see so many of you joining us today. The count is at 175. It's great. And it's my pleasure to be here to open this webinar today. Before we begin, I would like to invite you to take a moment with me to acknowledge and be grateful for the land we are on today and for all the people who have and do live here. We remember and respect that this land is the traditional territory of many nations, including the Mississaugas of the Credit, the Anishinaabek, the Chippewa, the Haudenosaunee, and the Wendat peoples. And it is now home to many diverse First Nations, Inuit and Métis people both. We acknowledge that Toronto is covered by Treaty 13 with the Mississaugas of the Credit, and the Williams Treaties signed with multiple Mississaugas and Chippewa bands. We also acknowledge that we are all treaty people and accept our responsibility to honour all relations.
Caroline Blouin
01:42 Now let me go through a few housekeeping items. We're using the MS Teams live events platform today. And as an attendee, your audio and video have been disabled. Please submit your questions using the Q&A icon at the top right-hand corner of your screen, and we will address your questions at the end of the presentation. Now, if we do not get to your question today, not to worry. We will post the answers on our website in a couple of weeks, and as soon as the answer has been posted, you will receive a notification via email. Lastly, today's webinar is being recorded. We will post a copy of the recording, transcript, and slides to our website in the coming weeks. Second slide, please. Today's session is focused on cybersecurity. As background, this summer, we released a pulse survey with a cross-section of the plans under our supervision. I'd like to thank all of those who participated in the survey. We really appreciate your insights. And as part of today's presentation, you will hear some of the key findings from the survey. You will hear from two cybersecurity experts about current cybersecurity best practices, ways to protect your pension plan assets and member data, and what to do in case of a cyberattack.
Caroline Blouin
03:32 With that, I am pleased to introduce you to our speakers today, starting with my colleague, David Bartucci, who is the head of pensions stakeholder relations and special projects, next is Ted Harman, president of Accent Insurance Solutions, and Ryan Wilson, who is a cybersecurity partner at Ernst & Young in Canada. Thank you so much for all three of you to leading today's webinar. I'm sure we will learn a lot from you. Next slide. In our digital world, as you know, cyber threats are real, and they're continuously evolving, so understanding cyber vulnerabilities are critical to keeping your plan assets safe and protecting plan beneficiaries. And FSRA is working with CAPSA on cybersecurity guidelines to support plan administrators, and David will share more about this work with you today. We also know that pension plan administrators and third-party service providers control large sums of financial assets as well as personal and confidential data, and this makes them particularly attractive targets for cyberattacks and fraud. Ted will share his experiences, as in point of view, as a target of a cyberattack, and finally, Ryan will share his insights about how we should be thinking about cyber risks and threats and the leading practices for cybersecurity risk governance. I hope you find today's webinar informative, and I will hand it over to Ted to share his experiences and insights.
Ted Harman
05:49 Well, good afternoon, everyone. Welcome. I'd like to take a moment to thank Caroline and her exceptional team for inviting me to address you today. In my practice as an insurance broker, I'm seeing an alarming increase in social engineering fraud, which is a fraud that is perpetrated on an individual in a firm who is misled into acting upon instructions from a criminal believing that the criminal is actually a different person who is normally a person of trust from whom you would normally accept instructions. The case that's highlighted on the slide, Future Electronics versus Chubb, is a case where employees of Future Electronics were persuaded to change the electronic fund transfer information or instructions to settle a supplier's account. The amount of loss in the case was $2.7 million. The amount that was insured was only $50,000. The remainder was never recovered. So you might ask yourself what's the difference between social engineering fraud and computer fraud, which is covered in most crime policies. Indeed, in the case of Future Electronics, they had a crime policy with a limit of $25 million, so you would normally expect that the $2.7 million that they lost would be a recoverable amount. Computer fraud exploits technical weaknesses in your computer system. That's what you pay those IT people lots of money to be able to manage for you, and Ryan will speak about that a little bit later on. But social engineering fraud exploits weaknesses in human beings. Our inherent nature to trust people is a weakness that fraudsters use to their advantage and most often to your dismay.
Ted Harman
07:28 We've had several clients who've been victims of what, for them, were significant funds [inaudible] which were not recovered. We recently had a client that lost over half a million dollars in a fund transfer scheme where the fraudsters were able to intercept and change the financial instructions. The client was not insured for this specific amount because they had chosen not to purchase social engineering fraud insurance. The verification of the changed instructions that you receive must be verified by several different sources. And so in the case of the Future Electronics case, they lost $2.7 million essentially because an employee accepted instructions via email and acted upon instructions that were given by email. You need to verify by multiple different means, including voice, and invariably, I would suggest that you verify directly with the bank to whom you will be sending funds that the account is actually registered to the person or the entity to whom you expect to be sending the funds. I would recommend as well that you verify your coverage and ensure that you have specific social engineering fraud coverage in place that covers your largest electronic funds transfers throughout the year. If social engineering fraud is a separate coverage, it's often sold separate policy. And I would suggest to you that it would be prudent on your part to consider purchasing coverage in much greater quantity than the standard limit that would be included with your base crime policy.
Ted Harman
09:10 Recently, and if we go to the next slide, I was personally involved in a cyber attempted extortion. And I realized that on the screen, the writing is pretty small, but what you will find is, is that I received an email from myself. And when you receive an email from yourself that you know you didn't send, you get a little bit spooked. And so what I did was I contacted security team at my IT provider. Their investigation revealed that the criminal had been able to spoof my email sender information to make it seem like they had control of my account. And certainly, if you read through the email, you would see that they're trying to lead me to believe that they absolutely do have control of my account. The security team was able to assure me that there had not been any breach. I've redacted the email because one of the things that they do is they suggest that they have recordings of you, that they've been surveilling your behavior for a number of weeks or months, and that they're going to expose all of the things that they've been able to capture from your system while they were in the background. So the best practice is for you to reach out to your cybersecurity team and have them do a detailed analysis of what has happened. In my case, it was simply an attempted extortion. But if you Google a Bitcoin wallet that was included in the email, you'll find that that specific wallet has been used in a number of different fraud attempts across North America.
Ted Harman
10:58 If I can leave you with an important takeaway today, it would be to exercise strong online hygiene behavior. The weakest link in any system is the human that is interacting with that system. Multifactor authentication, obligatory, secure portal connections when working remotely, regular password change requirements, password complexity requirements, all help to sanitize your online environment. And no using your pet's name, and 123 at the end is not an adequate password. I've also provided some resources, that would be made available to you by David, from Chubb Insurance, one of Canada's leading insurers operating in the cyber insurance market, and I hope that you'll find the resources helpful. And if any of you have any questions, you can always reach out to me. David has my contact information. David, thanks very much for having me, and back to you.
David Bartucci
11:53 Thanks so much, Ted, for sharing your experience and expertise with our participants today. I want to spend a few minutes talking about two things. The first is sharing with you some of the key findings from the CyberPulse survey that we did a few months ago. The second is highlighting some of the key takeaways from some of the guidance that we've been working with colleagues at the CAPSA table. And so I'll start with the findings from the survey. So we shared the survey with a good cross-section of plans in the sector. So that included defined benefit plans, multi-employer pension plans, and defined contribution plans. We also tried to make sure that we had good coverage of respondents across size of plans so that we could share some findings to help identify for us and for you whether the practices that plans are adopting vary by size. And we understand that proportionality is always a concern in issues around administration and control. So the findings are sort of grouped by the banks of questions that were included in the surveys. The first one sort of gets at how many plans have an explicit cybersecurity policy and dedicated cybersecurity resources. So the number of resources varied greatly from 1 to over 300, and many identified that they had an explicit policy in place. We recognize - and I'm sure Ryan will spend a little bit of time on this as well - that many plan administrators rely on third parties to help administer all or most parts of their plan, and having a third-party risk management framework in place that deal specifically with cyber-related issues is something that we recognize is important, and I'm happy to say that most of the respondents have a third-party risk management plan in place, and that program is integrated with their vendor risk management in many instances.
David Bartucci
14:12 Next slide, please. In terms of incident reporting, most of the respondents had a policy or program in place, and most are reporting, or all are reporting incidents. More than half of the respondents have been thoughtful about and are performing risk assessments and including on cyber-related issues, and are, as expected, plans are holding a lot of important data and including confidential protected health or medical data. And so Ryan, I'm sure, will spend a bit of time talking about the risk profile and what might be attractive to cyber criminals, but I think just to spend a moment, that when you think of the assets held by a plan and plan administrator, it's not just the funds in the pension fund, it's the data and member data that can be attractive to cyber criminals. I'll just spend a moment on the human controls. Ted talked very eloquently about how humans are sort of the weak link in the chain. And I'm happy to say that most of the respondents have an awareness program in place and that the plans are testing this.
David Bartucci
15:41 Next slide, please. So a few kind of takeaways that I really want to drill in on. Most of the respondents have a cybersecurity policy in place, and the number of resources that plans have obviously varies by the size of the organization. We also see that many organizations are reporting incidents and paying attention to data protection and other privacy controls and reporting those to other regulators both in Canada, across Canada, and in Europe and other jurisdictions that they operate. I think a lot of these regulatory sort of responses tend to be correlated highly with the line of business that the plan sponsor is in rather than an outcome of being an employer that has a pension plan explicitly. Next slide, please. So we know from the responses that 100% of the respondents are managing and monitoring for threats during business hours. However, some respondents reported to us that they're only monitoring during business hours, which obviously leaves a gap that's important for administrators to consider, that there is a period of time where someone could be in your system without sort of that active knowledge. And we're also happy to see that 100% of respondents are performing post-incident activities. And then on the right side of the slide, these are the most common successful cyberattacks that respondents reported to us in the past 12 months, so phishing, credential compromise, denial-of-service attacks, and ransomware, in that order of the top four. And I think that's aligned with some of the insights that Ted shared with us a few moments ago.
David Bartucci
18:02 Next slide, please. So I'll pivot now to a regulatory approach and what you can expect from FSRA and other regulators. So as most of you, or many of you will know, FSRA is a member of the Canadian Association of Pension Supervisory Authorities or CAPSA. As part of its strategic plan, CAPSA decided to prioritize both risk management and cybersecurity, and CAPSA published a draft cybersecurity guideline for public comment back in June. CAPSA members are reviewing those comments now. And the guideline is in draft still, available on CAPSA's website. The link is on this slide. I also wanted to share with you that CAPSA posed a question to the sector around whether it thought an integrated approach to risk management in a guideline that is inclusive of cybersecurity among other risks was sort of a good idea. And I'm happy to report that CAPSA received supportive feedback on that. So what we're spending some time doing now is drafting that sort of integrated risk management guideline that will have, in an integrated way, a section dedicated to cybersecurity, and we'll aim to have that available for public consultation, both the integrated risk guideline along with the piece on cybersecurity, in spring 2023.
David Bartucci
19:44 Next slide, please. I did want to share, though, with the attendees, some of the key concepts that are included in that draft cybersecurity guideline. And I don't think anything on this slide will be surprising to you, but what we and CAPSA know is that cyber risk is a key risk for all plans depending-- or regardless of their size or characteristics. CAPSA expects that administrators are regularly reviewing and assessing this risk to ensure appropriate controls are in place. CAPSA reminds plan administrators that they have a fiduciary duty to ensure that their plan is administered with the care, duty, and skill of a fiduciary and that cyber risk is a key part of understanding and managing risk in your plan and that appropriate controls and training should be in place to manage this risk. We also understand, and I chatted a little bit about this before, that many plan administrators rely on third parties to help administer all or a portion of their plan and that roles and responsibilities relating to cyber risk and other types of risks that are important to be managed by service providers need to be clearly defined, assigned, understood, and careful consideration should be taken when delegating activities to third parties and to applicable subcontractors of those third parties. And CAPSA expects that administrators have a strategy in place to respond and report cyber incidents as required by their jurisdiction.
David Bartucci
21:44 So what you'll see again in the new integrated risk management guideline is a lot of these concepts have further articulated and some other helpful advice for administrators to think about how they can manage cyber risk in their plans along with, of course, other risks that we know are front of mind for administrators. Next slide, please. And I'll hand it over to Ryan at this point, and thank you for your time.
Ryan Wilson
22:22 Thanks, David. Hello, everyone. I'm going spend the next little bit walking you through kind of what we're seeing out there in the wild, what's going on from a cyber perspective, and then we'll talk through kind of some of the leading practices that you may consider as you start to think through what your overall cyber program may look like and enhancements that you may be able to make along the way. So I wanted to start by simply defining kind of what does the cyber threat methods and motives look like out there. And as you kind of heard from Caroline, Ted, and David, a large number of the cyber crimes that we're seeing perpetrated today are financially motivated. And obviously, you as plan administrators and holding pension information are key targets for attackers out there. Again, they are looking at targets where they can essentially extort and steal potential information that has value to it and ultimately for the reasons of financial gain.
Ryan Wilson
3:29 By far, the most prominent cyberattack that we see in this particular sector, as well as every sector out there today is ransomware. Ransomware continues to be on the rise and evolves dramatically as the sophistication of attackers continues to increase. So it's an ongoing threat that we all have to deal with. The reality of ransomware is it has evolved to the point where organized crime is offering ransomware as a service. So just as organizations go out today and buy software as a service and it's completely supported by an organization, criminals have the equivalent of ransomware as a service, where it's provided completely in the cloud. It has a help desk and support team behind it. They will help you to craft a ransomware attack against an organization and then extort that particular organization for payment, which typically involves Bitcoin. So very much so, these attackers are motivated, they are sophisticated, and they are targeted in who they're going after. Typically, their targets involve entities that hold sensitive information. So it could be PII or personal identifiable information. It could be health information. It could be, obviously, financial assets that they're interested in acquiring. So again, a number of different motives that are out there today. The other thing that we see these attackers targeting is new technologies that are being adopted. So as we're pivoting our business models, as we're enabling digital innovation, as we're striving to offer a better client experience, attackers are looking at those new avenues that we're enabling and looking for vulnerabilities that we've opened up or created that they could take advantage of. And so we really have to make sure, as we're kind of launching new services, that cyber is embedded inside of it and that we're getting in front of these problems.
Ryan Wilson
25:32 Next slide, please. So one of the things that we really need to think about, and David touched on this earlier on, is security has to be proportionate. And obviously, as pension administrators, there are various different sizes and complexities to your business out there today. So a one-size-fits-all approach just absolutely doesn't make sense here. And so really focusing in and honing in on what are we trying to protect and what are the key risks for our organization are the questions that you need to be thinking about and be able to answer. And so it's actually a very useful exercise that a lot of organizations go through today. We call it threat modeling. And so we look at what are our critical assets, what are we trying to protect as an organization, what if an attacker got access to those systems, would the impact to us be, and ultimately understanding what are the various different threat actors out there that could be coming after us and what are the vulnerabilities that they could potentially take a hold of and gain access to that information. And from understanding that, you can put together a plan that is risk-based, that is proportionate, and focuses on the things that most matter to you. The interesting part is when we started building cyber programs many years ago, it had a very costly and heavy price tag associated with it. If you look at the new dynamic nature of controls that are available out there to you today, even the most small entities have the ability to put in place robust and comprehensive cyber controls at a price point that is consummate to the size of their environment, the number of users and what they're trying to protect. So dramatic improvements from various different cloud service providers and tooling that we have access to that no longer cost the same as what it cost years ago, again, typically through subscription models and per-user-based pricing.
Ryan Wilson
27:40 And then this allows us to really kind of think through. How do we protect the data that's most critical to us and put a very focused programmatic view of how do we protect what's important? We've obviously seen a number of recent headlines specifically within the pension space of entities being breached. And I think it's really important, not the size or the scope or magnitude of those breaches, but what are the common themes of how they happened, and what are practical things that you as plan holders and plan administrators can do to be able to help to protect those types of incidents from not being your reality, essentially. And so if we boil down kind of the types of attacks we're seeing - Ted brought it up earlier in the conversation - one of the key things that organizations can do is implement multifactor authentication. Again, we want to trade, we want to educate, and we want to make sure our people are security conscious, but we need to backstop them with the right technologies and processes to be able to make our program effective. So multifactor authentication is one of those controls. And our incident response team always laughs when I say this, but if people just implemented multifactor authentication and had effective security monitoring in place, you can eliminate a large number of the common threats and common breaches that are happening out there today. So use MFA, have that third piece of the credential, so a username, a password, and then a token code or an application that produces a random token code that is something that an attacker is just not going to have access to. And so it stops a dramatic amount of the credential compromise situations that organizations are going through today that ultimately lead to a breach.
Ryan Wilson
29:46 David touched on security monitoring earlier. This is a really vital piece of the security equation. We need to know if a perpetrator is trying to gain access to our resources. We need to make sure we do that security monitoring 24 hours a day, 7 days a week. Realizing that this is very difficult for smaller organizations to accomplish, this is where we look to third parties and partners to be able to provide that. You're never going to build that capability in-house in a smaller entity. Just fiscally, it doesn't make sense. But you can absolutely subscribe to a service like that and they are affordable and it's something that all plans can kind of think through. The other interesting part, as I was kind of going through the sanitized data set for the survey that was recently issued, is a lot of pension plans do not have advanced malware protection. And this is something that all organizations should be thinking through and implementing as part of their strategy. Again, if we look at ransomware, if we look at the types of threats we're facing, advanced malware protection is a must for most organizations today, especially if you want to combat and stop a lot of these particular threats before they become real cyber incidents that you have to deal with.
Ryan Wilson
31:12 And the last part I wanted to just talk about was vulnerabilities. So during the first year of COVID, the amount of innovation that was happening within pension plans was staggering. A lot of organizations were really focused on how do we continue or better our client experience, how do we launch new mobile or digital services. And the one thing that we found a lot of was organizations forgot to embed security. And so we introduced these new platforms and these new mechanisms to interact with our clients, but we left vulnerabilities and doors open. And so reviewing what you've launched over the last few years is a critical piece to this as well, making sure that you have a view into what vulnerabilities may exist out there, and more importantly, what vulnerabilities an attacker may take advantage of and gain access to information and resources that they shouldn't.
Ryan Wilson
32:10 Next slide, please. So cyber is obviously a very large and complicated topic, but one of the things that we've been working on a lot of is really, how do we build a framework and structure a conversation between the management teams and the board of directors that's meaningful and makes sense and is something that's easy for all organizations to leverage and use. And so you can find more at EY center for board matters on this, but this simple framework is something that a lot of organizations and a lot of pension plans specifically are starting to leverage today. So it really begins with setting the tone and making sure that we have the right cadence and visibility into what we're trying to protect and what the goals and ultimately the performance indicators of our program are from a cyber point of view, something that you've agreed to with the board, something that you're reviewing on a regular basis. We also want to make sure that every organization stays up to date. Cyber changes very quickly and we need to make sure that we're shifting and we're making sure that we're monitoring our risk to make sure that we are managing cybersecurity inside of our risk tolerances for the organization.
Ryan Wilson
33:34 The other piece that we need to ultimately base this program on is the value at risk. We need to understand ultimately what are we trying protect, how much are we going to spend in terms of dollar amount on those controls, people processing technology to secure our asset, and what makes sense relative to the value of those assets, right? And these are all conversations that the management team should be driving with the board of directors. The next column or next area really focuses on how do we make this a reality. And so one of the biggest things that successful organizations are doing out there today is they're embedding security from the start. So as we spin up a new digital initiative, we make sure that cyber is at the table. They're a stakeholder and they're involved all the way through, making sure that they've got visibility into how that program is progressing, that it meets the business needs, but more importantly, that as we go to market, as we launch this new digital service, that it is secure by design.
Ryan Wilson
34:44 The next area is ensuring that we're doing the right things. And so many organizations today are regularly assessing their cyber program - is it performing as we expect? - and in many cases, bringing in an external third party to provide an independent review to the management team and board on how that program is performing, progressing, and the overall maturity of cyber practices across the board. If you're a smaller entity, this is still very relevant in looking broadly at all of the cyber risks that are associated with the business that you have and making sure that as you kind of assess maturity, that you're looking at not only your internal capabilities but those third parties or other entities that you depend on to deliver cybersecurity services. The other thing that we want to make sure is that we understand what do when a cyber incident or event occurs. So making sure that there is a proper incident response plan, that we understand what the escalation protocol looks like, who should be involved when, and more importantly, who should be notified and informed as an incident evolves. Trying to figure this out during the incident itself and trying to do it on the fly typically results in suboptimal performance in management of a cyber incident or crisis. And so we want to make sure that a lot of this is defined up front and ahead of time so that we can get in front of the problem and manage it appropriately.
Ryan Wilson
36:25 And then the last part of this framework is really about managing and monitoring risk. And one of the key pieces that we found that is still under development in a lot of organizations today is third-party risk. So as we look at our supply chain, as we look at our critical suppliers, how do we make sure that they're not a point of weakness for us as well? So it's not just about ensuring our cyber program to protect our pension data and information is secure, it's about understanding how third parties could also impact the security of that. We often see sophisticated attackers won't go through the front door. They won't go directly to your organization if they feel you have sufficient or comprehensive cyber controls. Instead, they'll go through a third party or an entity that may not have invested so much in cybersecurity to be able to ultimately gain access to what they're looking at getting access to. And then the last two pieces that I just wanted to cover with you quickly is really about testing response and recovery. There have been a lot of entities that have suffered significant cyber breaches and compromises, many involving ransomware. And the amount of organizations that are not able to recover as they expected that they would be is staggering in Canada and globally. I can think of five entities that I've been involved with directly where they suffered a wide-scale ransomware attack where the organization was no longer able to function. And when they went to go back to backups and restore systems, they realized that even their backups were online and also encrypted through that ransomware incident. So they had no choice but to pay the ransom to the attackers in order to be able to resume normal business operations. So testing your response and recovery capabilities is a really critical piece as you kind of think through the evolution of your cybersecurity program and practices.
Ryan Wilson
38:36 And then the last piece is really around understanding what's happening out there in the marketplace today. It's really important to stay up to date on what those evolving practices look like, how your peers are doing in this industry, and more importantly, what are the disclosures that are coming out in terms of cyber breaches and sharing threat intelligence data with organizations that are of a similar nature to you so that you can stay on top of these cyber threats and mount an effective posture, capabilities to prevent these types of cyberattacks and ultimately recover from an attack should you experience one. So with that, I'll turn it back to David for the next section.
David Bartucci
39:24 Thanks so much, Ryan, for sharing that insights and advice. I thought that was really great. So there's been a couple of questions that will come in. As a reminder, the live event Q&A is at the sort of top right of your screen. So the first one that I'll address in the context of the survey where employer policy is equal to a plans policy. So we shared the survey with the contacts at plan administrators and invited them to sort of share the questions with whomever they thought was best positioned to help respond. So I think, in a lot of instances, where the plan's sort of primary contact is the administrator and the sponsor is the same, then they were probably answering the question from the perspective of their employer. A lot of respondents, though, used consultants or other third parties to help them manage this. And so I think where those responses to the survey came back from some of the service providers, I sort of assumed that they were unique to the plan. But for the purposes of the survey, we sort of considered these as the same.
David Bartucci
40:52 The next question is around records retention. So the way that I'll answer this question is that we know that the question around record retention policy is one that is important to the sector and something that we intend to address through some upcoming guidance on it. We are working now to take a look at a piece of guidance that we issued, I think, last summer around administrator roles and responsibilities, and are going to be taking the opportunity to update that guidance and including looking at issues around records retention policy and also thinking a little bit about how planned administrators can and should be considering how they can deal with member complaints. I'm going to actually see if I can throw a question to Ryan now on how do we convince plan sponsors and members that systems are safe.
Ryan Wilson
42:13 Yeah, I think that's a great question. So I think there's a few ways that you can do this. So one is if you're having external or third-party assessments done on your cyber program that show the completeness and the maturity of that program, you may consider sharing a summary view of what that looks like. Obviously, you won't want to share the detailed view of the program. But typically, a letter or a very summarized version of a third party, a reputable organization assessing your program is a good way to do this. The other thing that I will see a number of entities do in this particular case as well is issue a letter from their management team talking about their focus and dedication to cybersecurity and specifically, focus on things like how are you protecting plan member data, the data security controls that you do wrap around it in order to make sure that that data is safe and only accessed by people that obviously need to do so on a need-to-know basis.
David Bartucci
43:25 Ryan, can I ask you as well to answer the question around two-factor authentication?
Ryan Wilson
43:35 Yep. Just reading it here now. Yeah, so the question really talks about what two-factor mechanisms are secure and which ones are considered less secure. So the answer to that question is there is absolutely a difference in the type of secure two-factor authentication that you use. Text message and SMS is probably on the bottom list of those. There have been well-known examples where SMS and text message data was compromised in an orchestrated attack using a bypass mechanism for two-factor authentication. So SMS and text messages would be at the bottom of your list. The more common way, in the more secure way to enable two-factor authentication is through a secure application on your phone. Microsoft, Google, for example, have authenticators in which you can enable, you can turn on, and that secure token code is securely displayed within the app and much more difficult for an attacker to compromise and definitely one of the more preferred ways to do MFA.
Caroline Blouin
45:07 I think the next question is for Ted. What do cyber insurance policies typically cover, how do they assess damages, and also, what is the general cost for a pension fund?
Caroline Blouin
45:36 Or maybe we lost Ted.
David Bartucci
45:38 I think we lost Ted for a moment.
Caroline Blouin
45:41 Oh, no.
David Bartucci
45:41 We'll hold that one--
Caroline Blouin
45:42 Okay.
David Bartucci
45:42 --until he comes back. Maybe while we wait for Ted to come back, there's a question about the linkage between cyber and ESG. Ryan, I'll see if maybe you wanted to comment on that. And then there's a question around how do you recommend a plan assess a third party's cyber process and whether SOC reports are sufficient. So I'll publish both of those and throw it back to Ryan.
Ryan Wilson
46:17 Yep, sure. So I'll start with the one around how do we assess a third party. And this is a really kind of interesting topic for a lot of organizations out there today. So first of all, having a third-party risk management program is typically what is done in this particular space. And because in a typical organization, you're dealing with a large number of third parties, you need to tier and categorize them. And you will typically do this by the criticality or most important ones to your business and ultimately those that have a significant impact or access to plan member data. Once you understand kind of who those third parties are, you would typically draft a set of questions that you would like to understand from a security practices point of view. And there's a number of organizations out there that publish guidance around what those questions should look like. One of the specific questions was is a SOC report sufficient enough. SOC reports do contain a lot of information relative to that entity that you're assessing. What I think is really important is to understand the scope of that SOC report, whether it's SOC type one, type two, and really make sure that it covers the services that you're using in that organization and go through and match the SOC report to the questions, ultimately, from a risk perspective that you're asking of that entity. So I see a SOC report as a really good starting point with assessing a third party but definitely not a definitive guide to making sure that they are secure and follow the practices that you're looking for. David, do you have the second question again? Sorry, I'm just [crosstalk] here.
David Bartucci
48:21 It was about the connection. Not a problem. It was about the connection between ESG and cybersecurity.
Ryan Wilson
48:30 Yeah, for sure. Yeah. Cybersecurity is one of the key or one of the areas that ESG will definitely look at. If you look at the impact cybersecurity could have to, essentially, the financial valuation of that organization, brand and reputation loss of a cyberattack, if I look at a comprehensive ESG program, cyber is one of those elements of it. Again, just due to the nature of cyber in general, the impact that it can have to an organization, in your case, plan holder members, it's absolutely one of the key topics I would say are on most organizations' ESG agendas.
David Bartucci
49:21 Thanks, Ryan. I'm going to actually pivot back to Ted who has rejoined us. Ted, there was a question earlier which we published around whether cyber insurance-- what does cyber insurance policies typically cover, and what would be the cost? And then there's another question which maybe I'll simultaneously invite you to answer which says if an administrator has a cyber insurance policy or social engineering policy, would you expect that policy would also cover the plan itself. So I'll publish that one, and invite you to answer those, Ted.
David Bartucci
50:48 Ted, we're having some difficulty hearing you.
Ted Harman
50:57 It would help if I unmuted my mic [laughter], so. Year 2022 problems. So I'll go back to the beginning. The cyber policies are divided basically into two major sections. The first section is first-party coverage, which covers the purchasing entity itself. So if you're a plan administrator, it will cover your own network and costs that are related to a cyberattack on your network. And then you'll have a second portion of the policy that will cover third-party damage, which would be cost related to your plan members. So you're a pension administrator with 10,000 or 100,000 beneficiaries of the pension. The third-party coverage will cover expenses that are related to the notification of your beneficiaries as well as any costs related to future protection of those people. In the case of the federal government, they had a case of a cyber breach where there were 600,000 taxpayers who were touched by a cyberattack. I was one of them. They provided five years' worth of credit monitoring. So if you think that the average cost per plan member, depending on the number of the duration of the coverage that you're going to provide, if you used one year as a rule of thumb, then you could expect to purchase a policy-- it is $75 for every plan member.
Ted Harman
52:59 So if you have 100,000 plan members, then you would need $7.5 million for third-party coverage. And that's a rule of thumb. It's not a hard and fast rule. It's a simple way for you to get a sense of what type of coverage that you could require. But there are also-- Chubb provides a modeling tool that you can use in order to ascertain exactly what it is that you need as coverage. For first party, reconstitution of networks is a very, very expensive business. And so you want to make sure that the data reconstitution costs are covered. A methodology for determining what those costs could be-- I think Ryan may be in a better position to describe those costs, or methodologies for determining those costs, than I would. So then, David, you said you had another question about another issue?
David Bartucci
54:10 Yeah, Ted, thanks for that. Why don't we actually-- we'll respond to that second question in writing. There's a number of other questions that have come up. And so I think I'm just going to throw one last question to Ryan. And then as Caroline said at the outset, we'll answer all the other questions that have come in in writing, and you'll get a notification when that goes up. So, Ryan, there's a few questions that sort of have a similar theme to them. And it's really about how does a planned sponsor think about performing a cyber review. How do they know that an organization that they're interested in engaging with is a good one to partner with? And how do you sort of assess third parties? That's probably a mouthful, but I'll throw that over to you.
Caroline Blouin
55:13 And can I add, because there are a couple of those and one variation is for smaller entities, and would you recommend that they get an external cybersecurity assessment?
Ryan Wilson
55:29 Okay. Yeah, that's quite a compounded question. So let's maybe unpack that a little bit. So first of all, I think there's two common things, when you start thinking about understanding cyber risk to an organization, that are valuable. One is performing a threat risk assessment. So let's understand what's most important to the organization at a level that is in tune with the business itself and critical assets of what we're trying to protect. So threat risk assessment is one thing that you can think through. A lot of external entities that provide that-- I'll talk about external entities in a second. And then the second part is really a cyber maturity review. And a cyber maturity review kind of looks at what are the leading practices that organizations should be doing from a cyber point of view and ultimately plots you on a scale of where you sit today and what are kind of those immediate next steps or most meaningful things that you can do to improve your cyber posture and program. The question around external entities, so there are a number of cybersecurity providers out there today, all of the big four do this on a regular basis. There's a lot of tier-two accounting and audit firms that also do this type of work. All of those are obviously well known, reputable. And then, there's a number of boutiques in the cybersecurity space as well. And this is something that, obviously, you can evaluate and look at kind of what their reputation is and overall ability to perform this piece of work, but there's a large number of them in the Canadian market that do this on a regular basis. Ask for references, ask for who they work with, talk to them, and make your conclusion based on that.
Ryan Wilson
57:23 And then, with respect to third-party risk management, again, a lot of organizations will do this themselves. They will consult with an external entity, if they need to, on the right questions to be asking. And then, again, focus on those critical suppliers or the ones that have direct access or could have the most impact to plan member or information assets within the organization itself. So hopefully I answered the compounded question. But again, if we don't get to it on this webinar, happy to follow up through email and written responses as well. Back to you, David.
Caroline Blouin
58:09 Thank you. Oh. I think it's back to me. Yes. Thank you so much, Ryan. That's okay. Well, this was fantastic. Lots of great information. Thank you so much Ryan, Ted, David. This was so informative. The questions are absolutely outstanding. There's still lots of questions in the thread - thank you so much for all of those - around resources and vendors and so on. So we are going to get to all of these, and the recording of this webcast, the answers to the questions we didn't get to will all be posted in a couple of weeks on our website. I hope you found this session helpful. As always, you can always contact one of us if you have any questions. And with that, all of us will wish you a wonderful afternoon. Thank you so much.
Questions & Answers
Q1: How long should we keep records for members who are paid out and there is no pension benefits owed?
A1: Plan records that pertain to individual plan beneficiaries should be retained at least as long as they have an entitlement under the pension plan. This may include information related to plan enrolment, beneficiary designations, pension statements, court documents related to breakdown of a spousal relationship, etc.
Once a plan member has terminated their employment or (in MEPPS) plan membership, and has elected to transfer their entitlement out of the pension plan, not all plan records that pertain to the plan member necessarily have to be kept. However, it is important for the plan administrator to retain at least a summary of the terminated member’s plan records that will provide confirmation that their entitlement under the plan has been fully settled. As well, we note that in some marriage breakdown situations, administrators will need to calculate benefit accruals for members whose benefit is no longer in the plan. Unless they have internal expertise and knowledge about this, plan administrators should seek expert advice regarding record retention policies and best practices.
Please refer to PE0120ORG – Management and Retention of Pension Plan Records by the Administrator for a list of record retention best practices.
Q2: Can an administrator charge the pension fund for expenses involved with cyber security insurance, policies and other work related to the protection of the pension plan information?
A2: It is generally permissible, subject to the plan documents, to pay reasonable expenses for the administration and investment of the pension plan out of the pension fund.
Permitted expenses are determined on a case-by-case basis. Administrators should take care in consideration of insurance policies, whether they relate to the employer’s business functions or to the pension plan. Expenses that are primarily for the benefit or protection of the employer’s interests can not be charged to the pension fund. Other than that, such expenses can generally be paid from the pension fund if plan documents support that and if they are reasonable and appropriate in the circumstances and are in the interest of plan beneficiaries. Unless they have internal expertise and knowledge about this, plan administrators should seek legal advice concerning the types of expenses that may be paid from the pension fund.
Please refer to the following guidance for additional information: PE0296INT – Pension Plan Administrator Roles and Responsibilities.
Q3: How do we convince plan sponsors and members that the pension plan systems are safe?
A3: Plan sponsors and members could be provided with a statement of how you have constructed a risk based cyber program (at a high level) following a particular industry standard. With specific emphasis on making sure critical controls are in place to protect member data such as strong identity and access management, data protection etc. are all vital controls.
Q4: Is two factor authentication by text message/email no longer good enough? I am hearing that using authenticator apps is the new gold standard of 2FA?
A4: Common leading practices are to use strong MFA such as a reputable authenticator application. MFA via text message is not as secure as other forms of MFA.
Q5: How do you recommend a plan administrator assess if a third party's cyber security processes are adequate? Are service organization controls (SOC) reports sufficient?
A5: Establishing a third party risk management program with sufficient coverage to understand the state of cyber security for a particular entity (third party) you conduct business with is a common practice. This third party assessment looks at the cyber controls in place (the number of and the complexity of questions is typically tiered based on the type of data and level of access to information systems the third party may have). A SOC report provides the answers to some but not all of these key controls to look at.
Q6: Even if your organization is relatively small but holds personal information, should you be getting a third-party security assessment? What organizations provide these types of assessments?
A6: All organizations should assess their cyber security program and defences. The suitability of the framework used for these reviews should be based on the company size and the sensitivity of the data they possess.
Q7: If a plan administrator delegates daily administration to a third party provider and thus send personal information on members to that third party administrator, is it a good practice to ask that third party provider to provided an annual certification that it has a cyber security policy in place and that no cyber security attack happened during the last plan year?
A7: A formal cyber review should be considered if plan administration is delegated to a third party. Specifically, you may consider looking at the cyber practices of that third-party and how they are keeping plan data and member information safe. Typically, this would be aligned to a third party risk management program and questionnaire (addressed above).
Q8: How would a plan sponsor go about finding a reputable company who performs these types of cyber reviews? Will there be a FSRA directory of approved/recommended vendors? What is an estimated cost to plan sponsor to perform a review?
A8: There are a number of reputable cyber security organizations across Canada who have the capabilities and skills to complete both a full cyber review based on industry standard framework such as NIST or ISO. Additionally, there are more tactical testing such application security and vulnerability testing that can be performed to assess weakness within the operating environment. FSRA does not maintain a list, but Gartner, Forrester and other research organizations do list the top companies to look at for providing these services.
Q9: You mentioned that there have been cyber incidents affecting pension plans in recent headlines. Could you provide a couple of examples? How were the issues ultimately resolved?
A9: A number of cyber related incidents have taken place affecting pension plans. Some were noted in the presentation with specific plan names removed. Many are still in ongoing litigation in terms of resolution.
Q10: Is SOC 2 important? Does it replace or complement other cyber security policies? What about ISO 27001?
A10: SOC 2 is an important attestation of operating practices. It complements and looks at specific elements of an effective cyber security program. ISO 27001 is a standard in which focuses specifically on cyber security and can be certified against.
Q11: Can you speak to the importance of a solid written Disaster Recovery Plan?
A11: A well written BCP and DR plan are critical in order to understand how to resume normal business operations after an incident or cyber related breach. It is equally important to make sure these plans are tested often and that you are able to restore service based on your RTO and RPO defined targets.
Q12: What resources would you recommend to someone looking to establish a more sophisticated approach to cyber security?
A12: NIST-CSF or ISO 27001 are two comprehensive cyber security frameworks used today. Additionally formalizing a risk assessment methodology to formally assess and understand inherent and residual cyber risk is key (IRAM2 and FAIR may be considered as examples).
Q13: What do cyber insurance policies typically cover (how do they assess damages) and also what is general cost for a pension plan?
A13: Cyber liability insurance typically includes two types of cyber insurance, First-Party Cyber Liability and Data & Network Liability.
First-party Cyber Liability insurance covers the expenses your business may incur following a data breach or other cyber security attack on your network or systems. It will cover the costs of:
- Business Interruption: Covers loss of income as a result of a breach on the insured’s computer systems.
- Data Recovery: Covers cost to restore the network and data to the point it was at before the event occurred.
- Cyber Extortion: coverage for extortion payments and fees and expenses for a security consultant retained to prevent or terminate an extortion threat.
- Forensic Costs: Covers costs associated with hiring a professional third party to determine where, when, and how the breach occurred
- Legal Services: Covers the legal costs to comply with Breach Notice Laws and legal advice in responding to actual or suspected theft or loss or personal data.
- Notification services: Covers costs associated with letting all those affected by the breach (including individuals, entities, and regulators) know that it has occurred.
- PR and Crisis Management Expenses: Covers loss of income as a result of a cyber event in the media causing termination of your services by one or several of your clients.
- Social Engineering Fraud: Covers the loss of money when hackers manipulate employees into disclosing private information which leads to them voluntarily parting with money.
- Regulatory Defence And Penalties: Covers costs associated with being called in front of a civil, administrative, or regulatory proceeding and fines and civil penalties.
- Payment Card Industry Fines And Penalties: Covers monetary assessments, fines and penalties as a result of non-compliance with PCI Standards.
Data & Network Liability Covers damages and claims expenses associated with lawsuits alleging the unauthorized collection, disclosure, use, access, destruction, or modification of personal protected Information. These lawsuits can accuse your business of failing to adequately protect data that is in your care, custody and control.
It is difficult to provide a premium indication as each pension fund will have their own characteristics which will influence the setting of the premium. The larger the fund, the greater number of records that the fund holds, the higher the premium.
Q14: If the plan administrator has a cyber insurance and/or social engineering policy, would that policy also cover the pension plan?
A14: We would recommend that a plan administrator asks their insurer to specifically add the clients of the administrator as named insureds. This will ensure that coverage purchased by the administrator extends to their client’s transactions related to their pension plan.
Q15: As an advisor, should we be recommending cyber security insurance to our clients?
A15: Unequivocally yes. The question should form part of the due diligence you perform with clients when setting up their plan.