The administrator of the Newfoundland and Labrador Public Service Pension Plan is planning a revamp of its information technology governance processes to mitigate cybersecurity risks.
“The organization understands the importance of technology in enabling modernization of pension administration service delivery,” wrote Provident10 in the PSPP’s 2021 annual report. “Modernization will advance member and stakeholder experiences, as well as generate business efficiencies and mitigate risk associated with current systems.”
The move is part of a broader five-year strategic plan that will see Provident10 make continued investments in IT governance and risk management by 2026.
“Good governance is a fundamental principle at Provident10 and provides the organization with its license to operate,” said the report. “The organization is committed to investing in IT governance and risk management to maintain the highest standards of ethical conduct.”
While Provident10 didn’t provide more information on its specific concerns with its current IT protocols, the announcement comes after a series of high-profile cyber attacks on pension plan administrators and their assets.
In February, hackers compromised a Massachusetts municipality’s pension plan and extracted US$3.5 million from its administrators. The funds haven’t been recovered. In its most recent review of threats to the Canadian financial sector, the Bank of Canada noted the risk of attacks on Canadian financial institutions is on the rise.
“Cyber threats represent a continued vulnerability given the interconnected nature of the financial system,” said the bank. “With the ongoing war in Ukraine, state-sponsored cyber attacks are occurring with greater frequency and sophistication, increasing the risk of a successful attack on a Canadian financial institution or financial market infrastructure. Such an attack could have far-reaching effects on the broader financial system.”
While it isn’t clear if any major Canadian pension plans have been directly targeted, the country’s largest pension investment organization has already seen cyber attacks damage the value of its portfolio.
In 2020, the Canada Pension Plan Investment Board made a US$315 million investment in Texas-based software company SolarWinds Inc. at a time when its shares were being traded for about US$25 each. The next week, the company announced its systems had been compromised by Russian hackers, severely affecting its share price and reputation. Its stock now trades for roughly US$11.
Provident10 and the Bank of Canada aren’t alone in their concerns about the vulnerability of institutional investors to cyber attacks. Last November, Minister for Public Safety Marco Mendicino sponsored a bill that, if passed, would require key financial institutions, including pension investment organizations, to report cyber attacks and develop formal cybersecurity procedures.
Benjamin Fung, a professor at the McGill School of Information Studies, says these plans can significantly reduce the risk of cyber attacks. “If you think about cyber attacks on financial institutions, there are two categories. The easy approach is also the smaller scale one — the attacker impersonates an individual and transfers funds. That can be mitigated by adopting two-factor authentication, which can prevent 90 per cent of these attacks from succeeding.
“Surface side attacks are the other approach and they’re not easy to do,” he continues. “When it happens, it’s because internal staff open up a back door by accidentally downloading a virus. And human error is difficult to prevent. It’s mostly a management issue. Management should come up with a cybersecurity plan to revisit every process. They should also look right through their supply chain. Security management teams should also have a contingency plan in place in the event they do get hacked.”