While pension fund managers are used to considering risks from many sources, cyber risk might not be on their radar. But it should be, argued Alec Ross, former senior innovation advisor, Secretary of State Hillary Clinton and keynote speaker at the 2014 Risk Management Conference in Muskoka, Ontario, held August 13-15.
“The world is not changing; the world has changed,” he advised, adding, “90% of all of the world’s data has been created in the last two years, and that’s increasing by 50% a year.”
This accelerated access to information is creating a whole new world of opportunities and risks for the pension industry. “We live in a hyper-connected world,” said Ross. “Iron was the raw material of the industrial age; data is the raw material of the information age.”
Knowing the risks
In 2014, the cyber security industry will be about $95 billion—and it’s estimated to reach $155 billion in the next five years, Ross explained. In fact, he believes that five-year figure could actually reach $175 billion.
Pension funds should be concerned about hackers who are trying to displace their assets, said Ross. Ten years ago, he explained, it took 10 seconds to clear an average trade; today, it takes eight ten-thousandths of a second. In the U.S., the annual loss of intellectual property is $3 billion/year, he added.
Interestingly, the risks to businesses and networks are not necessarily going to come just from big government-sponsored entities going forward, Ross explained. “Power is increasingly devolving and being available to citizens and networks of citizens.”
According to Ross, there are three kinds of cyber attacks to watch for.
1. Confidentiality—Target, for example, was undermined by a 17-year-old in Russia. He exposed 40 million customers’ credit and debit cards, and 70 million customers’ personally identifiable information, leading to a 46% drop in the company’s profits in Q4 of 2013.
2. Availability—These attacks involve taking down a website—a strategy for which the (in)famous group Anonymous has become renowned. While they can result in a loss of company revenue, the systems themselves tend to be resilient, Ross added.
3. Integrity—Such attacks are aimed not just at stealing intellectual property, but also at seizing control of the system. Ross told the story of how the largest company in the world, Saudi Aramco, was also the victim of the largest cyber integrity attack ever, due to a piece of malware that took the company offline. The attack destroyed 30,000 computers—and for every day the company was offline, the price of gas at the pump would go up by 7 cents, said Ross, noting that if they are vulnerable, then anyone is.
Avoiding attacks
For the pension investment industry, the greatest risk is having its trading platforms infiltrated. Ross advised pension investors to consider the possibility of threats coming from the inside, as well as the outside, and to mitigate the risks within their own IT department.
In light of increased concerns around privacy and transparency of information, he also advised key stakeholders to ask the company’s chief information security officer what the company is doing about data privacy and to consider what the company legitimately wants to keep private. “That which you think is private oftentimes is not,” he added.
Ross closed with five recommendations for mitigating risk in a hyper-connected world:
- Include someone with cyber capabilities on your board.
- When assessing companies or funds for potential investment, ask what they or the board of directors is doing about cyber security.
- Build a protective layer of insurance into your business models.
- Back up your critical data with machines that aren’t connected to the Internet.
- Understand your own cyber security.
He suggested that hiring “white-hat hackers” is one way to help determine your company’s vulnerabilities to cyber attacks. But the reality is, no one is immune.
“If they want to get you, they’re going to get you,” he added. “There’s always someone smarter and more capable than you.”