Years before his late-career rebirth as nemesis to former U.S. President Donald Trump, Robert Muller coined a phrase that went down in history among cybersecurity experts.

“I am convinced that there are only two types of companies: those that have been hacked and those that will be,” said the then Federal Bureau of Investigation director in a 2012 speech. “And even they are converging into one category: companies that have been hacked and will be hacked again.”

Almost a decade on, Muller’s words resonate, with terms like phishing and ransomware entering the public lexicon following a series of high-profile and costly attacks that made headlines around the world. Meanwhile, advances in digital technology mean it’s almost impossible to underestimate the impact of cyber threats, according to Sandra Lau, the Alberta Investment Management Corp.’s executive vice-president of fixed income.

Read: Cybersecurity issues rank as top concern for risk managers: survey

Reflecting on the great economic emergencies of our time, she says the 2008/09 global financial crisis originated in the financial system, while the fallout from the ongoing coronavirus pandemic has its roots in public health. “Next time around, the biggest risk is going to be cyber,” she says, noting she expects her investment targets to take the issue as seriously as she does. “Good governance is always a requirement when we’re looking at an investment and cyber-security is part of that. It’s been top of mind for us for a long time.”

Lau isn’t the only one thinking this way, as demonstrated by the results of a 2021 survey by RBC Global Asset Management, which found 56 per cent of institutional investors place cybersecurity among their top environmental, social and governance concerns, bumping it up from fourth to second in the ranking of all ESG issues compared with 2020.

By the numbers

62% — The percentage of Canadian institutional investors that placed cybersecurity issues among their top ESG concerns, according to a 2021 survey by RBC Global Asset Management

87% — The percentage of Canadian businesses that reported falling victim to a breach in 2017, according to the World Economic Forum

40% — The percentage drop in the share price of software maker SolarWinds within two weeks of the CPPIB’s $315-million investment after the company revealed a massive hack of its system

US$113M — The CPPIB’s loss on the deal in the two-week period after it closed

212 days — Average time it took organizations to identify a data breach, according to a 2021 IBM report based on 537 real hacks across 17 industries

75 days — Average additional time it took to contain a breach after detection, according to IBM’s report

Canadian investors placed even more emphasis on cyber issues in their investment decisions, with 62 per cent ranking it in their top tier of ESG worries.

The results came as no surprise to Melanie Adams, the investment manager’s head of corporate governance and responsible investment. Quite apart from the significant financial, litigation, regulatory and reputational risk that a breach could pose, she says pension plan sponsors and other institutional investors are most scared by factors that fall outside of their comfort zone. “The hardest thing about cybersecurity is that it’s very difficult to assess if you’re not an expert.”

Read: Institutional investors emphasizing ESG factors amid pandemic, finds survey

Even with help from industry consultants, investors are often reliant on a company’s own disclosures about its breach history and existing cyber defences. “What investors can do is work on the company’s policies and procedures and look at how the board is overseeing their implementation,” says Adams. “But there’s not much you can do to check it.”

Some pension plan sponsors are exploring cyber insurance as a way to mitigate the risk of a breach, either by purchasing coverage for themselves or by insisting that investment targets have it in place ahead of a deal, according to Molly Reynolds, a lawyer at Torys LLP who advises pension funds and financial institutions on data governance and commercial transactions. “It’s an ongoing discussion across several sectors.”

Investors don’t need to be intentionally misled in order to find themselves exposed, she adds. “The target might say they haven’t had any incidents, but when you dig in, you could find it’s because they don’t really have the framework in place to detect and monitor breaches, which means investors may
be going into a purchase with an inflated level of confidence.”

Indeed, according to a 2021 study by International Business Machines Corp. of more than 500 data breaches, it took organizations an average of 212 days just to discover they’d been hacked — giving malicious actors as many as seven months to poke around systems looking for more private data and further weak spots, depending on the sophistication of the incident.

Read: Phishing and ransomware risks on the rise for pension funds, says expert

Late last year, the Canada Pension Plan Investment Board became a reluctant posterchild for cyber risk in the investment sphere when Texas-based software firm SolarWinds Inc. announced its systems had been penetrated by suspected Russian hackers, just days after the CPPIB sealed a $315-million deal for a five per cent stake in the company.

The attack was particularly impactful because it spread to a number of SolarWinds’ clients — including technology giant Microsoft Corp. and several U.S. government agencies — and the firm’s acknowledgement of its problem sent its share price spiralling. From a high of around $25 on Dec. 8, 2020— the day after the CPPIB deal was completed — SolarWinds’ stock price plummeted to around $14 just over a week later, wiping more than 40 per cent off the company’s value. The share price has since recovered, climbing to $19.33 by mid-October, but still well short of its peak.

Pension funds embracing cybersecurity investments

Whether or not they’ve been targeted by hackers, pension funds have cybersecurity companies in their own crosshairs when it comes to investments.

Ashley Madison, Colonial Pipeline, Equifax Inc. and SolarWinds — these same data breach events that catapulted cyber threats into the public consciousness and struck fear into boardrooms around the globe over the last few years have also raised the profile of the burgeoning industry devoted to keeping hackers out of company systems.

Several large Canadian pension funds have made major moves in the space, including the CPPIB, through its investment in data centre and cybersecurity solutions provider Cyxtera Technologies, and the Caisse de dépôt et placement du Québec, which recently led a $55-million D-series financing round for cybersecurity and compliance company Onapsis Inc.

Meanwhile, the Ontario Teachers’ Pension Plan was part of a consortium that purchased cyber and digital risk-focused RSA Security Inc. in a $2-billion deal last year. It then followed up earlier in 2021 with a $150-million investment in information technology security firm Tanium through its Teachers’ Innovation Platform, which targets late-stage venture investments in disruptive tech companies.

According to a report in the Washington Post, the company and its two largest shareholders said they only learned of the breach after agreeing the sale to the CPPIB. The newspaper also quoted a former cybersecurity adviser who said he quit the company back in 2017 because of its refusal to follow his recommendations for beefing up its defences to cyber attacks.

In a statement to the Post, Michel Leduc, senior managing director at the CPPIB, said “no one was aware of the hack leading to our capital commitment” to the best of their knowledge, but that the fund was “always focused on the very best interests of the fund and we will continue to assess the circumstances for optimal certainty.” A spokesperson declined to comment further to Benefits Canada.

Read: OSFI launches discussion on tech risks to pensions, other federal financial institutions

In addition to post-transaction exposure, pension funds are increasingly turning their minds to the protection of information gathered during the secrecy-laden periods of exploration, negotiation and due diligence that precede the public announcement of a deal.

“If you look across industries, many would say that investment activity has been overlooked from a cybersecurity perspective,” says Reynolds. “There is often highly sensitive information about the founders, directors and management of target companies and other material that, if leaked, could crater significant deals.

“It’s been a long-standing practice for funds to sign non-disclosure agreements around potential transactions and I’m seeing a lot more practice and planning steps being taken to ensure that they are operationally living up to those significant confidentiality obligations.”

Before turning their attention to cybersecurity outside the organization, it’s best for pension administrators to get their own houses in order, according to Katharine Hall, head of Aon’s national cyber practice. “There really isn’t a bad time to start looking at this risk. You can’t sit back and wait for something to happen.”

Read: Caisse investing further in green transportation, Ontario Teachers’ in cybersecurity

While some organizations have traditionally viewed ransomware and data breaches as an issue for banks and health-care organizations due to their holdings of cash and sensitive personal information, Hall says the recent Colonial Pipeline hack should prompt them to re-evaluate their exposure to an attack and take a more proactive approach to defending themselves.

Despite Colonial’s relatively small number of employees and minimal interaction with the general public, the malware attack forced the largest fuel pipeline in the U.S. to shut down for six days in May, leading to shortages across the Eastern seaboard, before the company paid a $4.4-million ransom to get back online.

“If you can hold the entire organization hostage, as opposed to getting a few credit card numbers off the internet, you can get a much better return,” says Hall. “That’s a real risk for pension plans.”

If attacks like the Colonial shutdown aren’t enough to scare pension plan sponsors into action, Jordan Fremont, a partner in the pension and benefits practice at Bennett Jones LLP, says recent regulatory developments provide them with an added incentive to boost their cybersecurity.

At the federal level, the Office of the Superintendent of Financial Institutions recently updated its guidance for cybersecurity preparedness and raised its standards for incident reporting. Meanwhile, the Canadian Association of Pension Supervisory Authorities has established a committee that’s currently working on developing a cyber toolkit of best practices and resources.

Read: Caisse investing in cybersecurity company

Key takeaways

• Cybersecurity issues play an increasingly prominent role in investment decisions as high-profile hacks continue to drive home the financial and reputational dangers of data breaches.

• Pension funds must get their own house in order before they can start evaluating the cybersecurity situation at their investment targets.

• The same best practices that should be implemented by pension plan sponsors provide a template for what to look for in their deal partners.

“The first step for pensions is understanding and identifying risks and the second is setting out policies and procedures that help to manage and mitigate those risks,” says Fremont. “It has to be specific to each plan — it can’t be one size fits all — and it has to continue to evolve as the threats and risks evolve.”

Jaycee Roth, associate managing director of cyber risk at digital service provider Kroll Inc., says compliance with industry standards, such as the Center for Internet Security’s list of 18 critical security controls, can help pension plan sponsors take their defences to the next level by instilling a culture of cybersecurity via threat awareness and skills training, breach simulations and penetration testing, among other measures.

But they also provide a template for pension plan sponsors seeking to assess the situation at their investment targets, she adds. “It’s vital to ask whether they’re following these protocols.”

When it comes to vetting a company’s claims about its cybersecurity, Roth suggests institutional investors take a “trust, but verify” approach. “There are way too many cases where an incident evaluation showed they downplayed the importance of security, but the deal went ahead because it looked too good overall to pass up.

“If they won’t let you evaluate them properly or they can’t provide you with a verified risk assessment, you might be setting yourself up for an expensive future tragedy in terms of financial and reputational damage.”

Michael McKiernan is a freelance writer.