Phishing and ransomware attacks are among the top threats to pension plan sponsors and institutional investors by cyber criminals, according to Jennifer Williams, director of information security at the Healthcare of Ontario Pension Plan.
“A common approach by cyber criminals begins with a simple phishing email designed to cause an employee to mistakenly action the request, leading to the compromise of their user account information. This potentially opens the door to a ransomware incident,” she wrote in an email to the Canadian Investment Review. “Financial organizations are especially popular targets of ransomware attacks due to the high value of the data and the cost associated with a disruption of operations.”
In ransomware cases, victim organizations are typically locked out of their computer systems by a data encryption program. The institutions are usually left choosing between giving in to extortion attempts or having digital information about third parties stolen or exposed to the public.
“These types of attacks can have significant financial impact on an organization and can affect the confidence their clients have in their ability to secure their systems and their companies’ confidential information,” noted Williams.
She also said that the risks posed by cyber crime to pension plan sponsors and their organizations has increased since the beginning of the pandemic. “As these attacks continue to evolve, organizations need to keep pace and stay ahead of new types of attacks. With the continuous advancement of technologies that leverage automation and machine learning and artificial intelligence, cyber criminals also benefit from having similar technologies to launch faster, more efficient and sophisticated attacks.”
To curb the risk posed by phishing attacks and ransomware, she suggested plan sponsors and other institutional investors be proactive in their approach to security. To do so, organizations should provide investors with a solid understanding of existing security practices and policies.
“Investors, directly or using specialist consultants, should perform due diligence by obtaining a detailed overview and understanding of the organization’s data protection practices, technologies used to mitigate security risk, security event monitoring, incident response processes and employee training requirements.”
Williams said that robust information security programs are usually built on layers of security at a technological, organizational and individual level. To mitigate the threat posed by cyber criminals, pension plan sponsors and institutional investors should invest in security programs that provide organizational oversight while aligning with industry best practices and standards.
“Having technologies alone is not enough. It is important to spend time to properly tune and optimize these technologies in order to achieve the desired outcome of monitoring for anomalies in the system environment.”
On an institutional level, Williams suggested that organizations regularly test employees’ awareness of cyber threats through simulated phishing attack exercises. “Building a culture where security awareness is of great importance, [as is] offering multiple learning opportunities to help employees understand their critical role in helping protect systems and confidential information.”