Years before his late-career rebirth as nemesis to former U.S. President Donald Trump, Robert Muller coined a phrase that went down in history among cybersecurity experts.
“I am convinced that there are only two types of companies: those that have been hacked and those that will be,” said the then Federal Bureau of Investigation director in a 2012 speech. “And even they are converging into one category: companies that have been hacked and will be hacked again.”
Almost a decade on, Muller’s words resonate, with terms like phishing and ransomware entering the public lexicon following a series of high-profile and costly attacks that made headlines around the world. Meanwhile, advances in digital technology mean it’s almost impossible to underestimate the impact of cyber threats, according to Sandra Lau, the Alberta Investment Management Corp.’s executive vice-president of fixed income.
Reflecting on the great economic emergencies of our time, she says the 2008/09 global financial crisis originated in the financial system, while the fallout from the ongoing coronavirus pandemic has its roots in public health. “Next time around, the biggest risk is going to be cyber,” she says, noting she expects her investment targets to take the issue as seriously as she does. “Good governance is always a requirement when we’re looking at an investment and cyber-security is part of that. It’s been top of mind for us for a long time.”
Lau isn’t the only one thinking this way, as demonstrated by the results of a 2021 survey by RBC Global Asset Management, which found 56 per cent of institutional investors place cybersecurity among their top environmental, social and governance concerns, bumping it up from fourth to second in the ranking of all ESG issues compared with 2020.
Canadian investors placed even more emphasis on cyber issues in their investment decisions, with 62 per cent ranking it in their top tier of ESG worries.
The results came as no surprise to Melanie Adams, the investment manager’s head of corporate governance and responsible investment. Quite apart from the significant financial, litigation, regulatory and reputational risk that a breach could pose, she says pension plan sponsors and other institutional investors are most scared by factors that fall outside of their comfort zone. “The hardest thing about cybersecurity is that it’s very difficult to assess if you’re not an expert.”
Even with help from industry consultants, investors are often reliant on a company’s own disclosures about its breach history and existing cyber defences. “What investors can do is work on the company’s policies and procedures and look at how the board is overseeing their implementation,” says Adams. “But there’s not much you can do to check it.”
Some pension plan sponsors are exploring cyber insurance as a way to mitigate the risk of a breach, either by purchasing coverage for themselves or by insisting that investment targets have it in place ahead of a deal, according to Molly Reynolds, a lawyer at Torys LLP who advises pension funds and financial institutions on data governance and commercial transactions. “It’s an ongoing discussion across several sectors.”
Investors don’t need to be intentionally misled in order to find themselves exposed, she adds. “The target might say they haven’t had any incidents, but when you dig in, you could find it’s because they don’t really have the framework in place to detect and monitor breaches, which means investors may
be going into a purchase with an inflated level of confidence.”
Indeed, according to a 2021 study by International Business Machines Corp. of more than 500 data breaches, it took organizations an average of 212 days just to discover they’d been hacked — giving malicious actors as many as seven months to poke around systems looking for more private data and further weak spots, depending on the sophistication of the incident.
Late last year, the Canada Pension Plan Investment Board became a reluctant posterchild for cyber risk in the investment sphere when Texas-based software firm SolarWinds Inc. announced its systems had been penetrated by suspected Russian hackers, just days after the CPPIB sealed a $315-million deal for a five per cent stake in the company.
The attack was particularly impactful because it spread to a number of SolarWinds’ clients — including technology giant Microsoft Corp. and several U.S. government agencies — and the firm’s acknowledgement of its problem sent its share price spiralling. From a high of around $25 on Dec. 8, 2020— the day after the CPPIB deal was completed — SolarWinds’ stock price plummeted to around $14 just over a week later, wiping more than 40 per cent off the company’s value. The share price has since recovered, climbing to $19.33 by mid-October, but still well short of its peak.
According to a report in the Washington Post, the company and its two largest shareholders said they only learned of the breach after agreeing the sale to the CPPIB. The newspaper also quoted a former cybersecurity adviser who said he quit the company back in 2017 because of its refusal to follow his recommendations for beefing up its defences to cyber attacks.
In a statement to the Post, Michel Leduc, senior managing director at the CPPIB, said “no one was aware of the hack leading to our capital commitment” to the best of their knowledge, but that the fund was “always focused on the very best interests of the fund and we will continue to assess the circumstances for optimal certainty.” A spokesperson declined to comment further to Benefits Canada.
In addition to post-transaction exposure, pension funds are increasingly turning their minds to the protection of information gathered during the secrecy-laden periods of exploration, negotiation and due diligence that precede the public announcement of a deal.
“If you look across industries, many would say that investment activity has been overlooked from a cybersecurity perspective,” says Reynolds. “There is often highly sensitive information about the founders, directors and management of target companies and other material that, if leaked, could crater significant deals.
“It’s been a long-standing practice for funds to sign non-disclosure agreements around potential transactions and I’m seeing a lot more practice and planning steps being taken to ensure that they are operationally living up to those significant confidentiality obligations.”
Before turning their attention to cybersecurity outside the organization, it’s best for pension administrators to get their own houses in order, according to Katharine Hall, head of Aon’s national cyber practice. “There really isn’t a bad time to start looking at this risk. You can’t sit back and wait for something to happen.”
While some organizations have traditionally viewed ransomware and data breaches as an issue for banks and health-care organizations due to their holdings of cash and sensitive personal information, Hall says the recent Colonial Pipeline hack should prompt them to re-evaluate their exposure to an attack and take a more proactive approach to defending themselves.
Despite Colonial’s relatively small number of employees and minimal interaction with the general public, the malware attack forced the largest fuel pipeline in the U.S. to shut down for six days in May, leading to shortages across the Eastern seaboard, before the company paid a $4.4-million ransom to get back online.
“If you can hold the entire organization hostage, as opposed to getting a few credit card numbers off the internet, you can get a much better return,” says Hall. “That’s a real risk for pension plans.”
If attacks like the Colonial shutdown aren’t enough to scare pension plan sponsors into action, Jordan Fremont, a partner in the pension and benefits practice at Bennett Jones LLP, says recent regulatory developments provide them with an added incentive to boost their cybersecurity.
At the federal level, the Office of the Superintendent of Financial Institutions recently updated its guidance for cybersecurity preparedness and raised its standards for incident reporting. Meanwhile, the Canadian Association of Pension Supervisory Authorities has established a committee that’s currently working on developing a cyber toolkit of best practices and resources.
“The first step for pensions is understanding and identifying risks and the second is setting out policies and procedures that help to manage and mitigate those risks,” says Fremont. “It has to be specific to each plan — it can’t be one size fits all — and it has to continue to evolve as the threats and risks evolve.”
Jaycee Roth, associate managing director of cyber risk at digital service provider Kroll Inc., says compliance with industry standards, such as the Center for Internet Security’s list of 18 critical security controls, can help pension plan sponsors take their defences to the next level by instilling a culture of cybersecurity via threat awareness and skills training, breach simulations and penetration testing, among other measures.
But they also provide a template for pension plan sponsors seeking to assess the situation at their investment targets, she adds. “It’s vital to ask whether they’re following these protocols.”
When it comes to vetting a company’s claims about its cybersecurity, Roth suggests institutional investors take a “trust, but verify” approach. “There are way too many cases where an incident evaluation showed they downplayed the importance of security, but the deal went ahead because it looked too good overall to pass up.
“If they won’t let you evaluate them properly or they can’t provide you with a verified risk assessment, you might be setting yourself up for an expensive future tragedy in terms of financial and reputational damage.”
Michael McKiernan is a freelance writer.