CANDICE WILSON: The overlooked cyber risks of the two-pot retirement system
To address the industry-wide problem, organisations need to collaborate and share intelligence
29 August 2024 - 05:00
byCandice Wilson
Support our award-winning journalism. The Premium package (digital only) is R30 for the first month and thereafter you pay R129 p/m now ad-free for all subscribers.
Companies will have limited opportunity to test security controls once SA's two-pot retirement savings system comes into effect on September 1. Picture: 123RF
SA’s two-pot retirement savings system comes into effect on September 1, and much has been written about its potential financial and social effects. But there is a less obvious yet no less important aspect — the increased cyber risks the system introduces, which have been completely overlooked.
Why does the two-pot system increase cyber risks? The accumulation of large sums of funds combined with the expected influx of requests to update member banking details in anticipation of a payout raises the risk of attackers and would-be fraudsters. This is because it represents a large reward if successful and there are millions of members who will become eligible to withdraw funds on the same day.
Changes to systems and the introduction of new processes have also had to be made in a rush, given the short period between the government announcing the introduction of the two-pot system and it coming into effect. This means companies have had limited opportunity to rigorously test security controls.
Attackers can use the opportunity to trick members and administrators into divulging or changing sensitive information. For example, an attacker could pretend to be a pension fund administrator and ask (via a phishing email or phone call) that a member click on a link to update their details.
They could be tricked into entering the password to their pension fund app. Likewise, an attacker could pretend to be a member and trick a pension fund call centre into divulging information or changing the banking details of a member.
The risk is heightened because there is expected to be a huge influx of requests from members. Call centres, email systems and brokers will be inundated with requests for information and to process payouts. Like an airport with a long queue at security, there is a temptation to reduce checks to speed up the process.But, unlike an airport, there is no “normal” or “historic” data to try to identify people, flights or locations that present higher risks. In fact, there is an increased risk of a cyber attack and fraud, which means there needs to be extra vigilance.
Those who are most vulnerable to being defrauded are those who can least afford it. Those who are close to retirement or are less digitally astute are more susceptible to being tricked by attackers and fraudsters. Older people have less opportunity to recoup lost money before retirement age. And those who are duped into divulging sensitive information in anticipation of a payout are those for whom R30,000 is considered a “material amount” required for an “emergency”.
Retirement funds can take several measures to protect their members and themselves from fraud and cyber attacks. Implementing air gaps can help create separation between critical systems and networks that are accessible from the internet. This can prevent cyber attacks from spreading to sensitive areas where retirement funds are managed.
By instituting a process where payouts are made in multiple stages and require verification at each step, retirement funds can reduce the risk of large-scale fraud. This could include multiple approvals, confirmation with the account holder, and a waiting period before funds are released.
Contact centre agents should be:
Trained to be extra vigilant when dealing with two-pot requests.
Trained through simulations to recognise the signs of fraud and phishing attempts. They should be equipped with the knowledge and tools to verify the identity of callers and to handle suspicious requests appropriately.
Rewarded for taking the time to perform due diligence, instead of rushing through transactions. This includes verifying the authenticity of calls and emails, validating the legitimacy of payout requests and reporting any signs of irregularities.
Members should be:
Made aware of the risks and scams targeting their savings pot;
Given clear guidance on how they can verify whether a call, email or person is a legitimate agent of the fund;
Encouraged to have a healthy scepticism and “slow diligence”; and
Aware that agents will never rush them into making a decision, nor ask them to divulge sensitive or authentication information.
Organisations should identify specific triggers, patterns and suspicious activities that could indicate a potential cyber attack or fraud attempt relating to the two-pot system. Existing monitoring systems and processes should be augmented to incorporate these potential indicators.
This is an industry-wide problem that is best solved together as an industry. In this way, organisations should collaborate across the industry to share intelligence around potential and actual cyber threats and fraud attempts. Coming together to help one another detect, prevent and respond to potential cyber attacks and fraud attempts is a great way to multiply and fortify the collective defences.
While the introduction of the two-pot system happens on a particular date, the increased risk is not a one-off event. The savings pots will increase in value over time, making them lucrative targets for cyber criminals and fraudsters. Since the retirement savings accounts are intended for long-term savings, fraudulent activities may go unnoticed for extended periods, giving fraudsters more time to cover their tracks or siphon off funds gradually.
Recognising that the threat is not a one-off event but an ongoing challenge is crucial. Retirement funds need to continuously update and improve their security measures in response to evolving threats. Allocating resources to cybersecurity, fraud prevention and member education should be seen as a necessary investment to protect the long-term interests of the fund and its members.
• Wilson is EY partner and Western Cape consulting leader.
Support our award-winning journalism. The Premium package (digital only) is R30 for the first month and thereafter you pay R129 p/m now ad-free for all subscribers.
CANDICE WILSON: The overlooked cyber risks of the two-pot retirement system
To address the industry-wide problem, organisations need to collaborate and share intelligence
SA’s two-pot retirement savings system comes into effect on September 1, and much has been written about its potential financial and social effects. But there is a less obvious yet no less important aspect — the increased cyber risks the system introduces, which have been completely overlooked.
Why does the two-pot system increase cyber risks? The accumulation of large sums of funds combined with the expected influx of requests to update member banking details in anticipation of a payout raises the risk of attackers and would-be fraudsters. This is because it represents a large reward if successful and there are millions of members who will become eligible to withdraw funds on the same day.
Changes to systems and the introduction of new processes have also had to be made in a rush, given the short period between the government announcing the introduction of the two-pot system and it coming into effect. This means companies have had limited opportunity to rigorously test security controls.
Attackers can use the opportunity to trick members and administrators into divulging or changing sensitive information. For example, an attacker could pretend to be a pension fund administrator and ask (via a phishing email or phone call) that a member click on a link to update their details.
They could be tricked into entering the password to their pension fund app. Likewise, an attacker could pretend to be a member and trick a pension fund call centre into divulging information or changing the banking details of a member.
The risk is heightened because there is expected to be a huge influx of requests from members. Call centres, email systems and brokers will be inundated with requests for information and to process payouts. Like an airport with a long queue at security, there is a temptation to reduce checks to speed up the process. But, unlike an airport, there is no “normal” or “historic” data to try to identify people, flights or locations that present higher risks. In fact, there is an increased risk of a cyber attack and fraud, which means there needs to be extra vigilance.
Those who are most vulnerable to being defrauded are those who can least afford it. Those who are close to retirement or are less digitally astute are more susceptible to being tricked by attackers and fraudsters. Older people have less opportunity to recoup lost money before retirement age. And those who are duped into divulging sensitive information in anticipation of a payout are those for whom R30,000 is considered a “material amount” required for an “emergency”.
Retirement funds can take several measures to protect their members and themselves from fraud and cyber attacks. Implementing air gaps can help create separation between critical systems and networks that are accessible from the internet. This can prevent cyber attacks from spreading to sensitive areas where retirement funds are managed.
By instituting a process where payouts are made in multiple stages and require verification at each step, retirement funds can reduce the risk of large-scale fraud. This could include multiple approvals, confirmation with the account holder, and a waiting period before funds are released.
Contact centre agents should be:
Trained to be extra vigilant when dealing with two-pot requests.
Trained through simulations to recognise the signs of fraud and phishing attempts. They should be equipped with the knowledge and tools to verify the identity of callers and to handle suspicious requests appropriately.
Rewarded for taking the time to perform due diligence, instead of rushing through transactions. This includes verifying the authenticity of calls and emails, validating the legitimacy of payout requests and reporting any signs of irregularities.
Members should be:
Made aware of the risks and scams targeting their savings pot;
Given clear guidance on how they can verify whether a call, email or person is a legitimate agent of the fund;
Encouraged to have a healthy scepticism and “slow diligence”; and
Aware that agents will never rush them into making a decision, nor ask them to divulge sensitive or authentication information.
Organisations should identify specific triggers, patterns and suspicious activities that could indicate a potential cyber attack or fraud attempt relating to the two-pot system. Existing monitoring systems and processes should be augmented to incorporate these potential indicators.
This is an industry-wide problem that is best solved together as an industry. In this way, organisations should collaborate across the industry to share intelligence around potential and actual cyber threats and fraud attempts. Coming together to help one another detect, prevent and respond to potential cyber attacks and fraud attempts is a great way to multiply and fortify the collective defences.
While the introduction of the two-pot system happens on a particular date, the increased risk is not a one-off event. The savings pots will increase in value over time, making them lucrative targets for cyber criminals and fraudsters. Since the retirement savings accounts are intended for long-term savings, fraudulent activities may go unnoticed for extended periods, giving fraudsters more time to cover their tracks or siphon off funds gradually.
Recognising that the threat is not a one-off event but an ongoing challenge is crucial. Retirement funds need to continuously update and improve their security measures in response to evolving threats. Allocating resources to cybersecurity, fraud prevention and member education should be seen as a necessary investment to protect the long-term interests of the fund and its members.
• Wilson is EY partner and Western Cape consulting leader.
RICARDO SMITH: Two-pot or not to pot
Who benefits when you tax the rich?
Spur sees two-pot retirement system boosting spending
KHAYA SITHOLE: Age is the next frontier in retirement fund reform
WATCH | Making the two-pot retirement system work for you
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.
Most Read
Related Articles
RICARDO SMITH: Two-pot or not to pot
Who benefits when you tax the rich?
Take-home pay up 5.9% as sentiment brightens
KHAYA SITHOLE: Age is the next frontier in retirement fund reform
Published by Arena Holdings and distributed with the Financial Mail on the last Thursday of every month except December and January.