Retirement fund cyber wipeout likely
At least one South African retirement fund is likely to lose all its investments to cybercrime within the next five to 10 years if the industry does not address the high risk to cybersecurity it faces.
This is the view of Sanlam's retirement fund administration executives, and is echoed by the head of IT services at tax, advisory and auditing firm BDO.
Viresh Maharaj, the CEO for corporate sales and marketing at Sanlam, says cybercrime is the single biggest threat to the retirement fund industry, bigger than longevity or costs.
In its soon-to-be-released Benchmark survey of retirement funds, Sanlam Employee Benefits head of special projects David Gluckman predicts that at least one high profile breach of data within a South African retirement fund is highly likely over the next decade due to low cyber-resilience in pockets of the industry. Such a breach may ultimately result in members' investments with such a fund being compromised.
Graham Croock, director of BDO's IT advisory services, says he believes a breach taking out a retirement fund "lock, stock and barrel" will occur within five years.
Croock says that as a retirement fund member he is concerned as SA has huge exposure to cybercrime.
Maharaj says the increasing risk of cyberattacks was highlighted recently by international technology firm IBM in its X-Force Threat Intelligence Index, which notes tens of millions of spam and phishing attacks daily on its infrastructure in 130 countries.
IBM says cyberthreats have reached "unmanageable levels" for many companies and the most-attacked industry in the world is finance and insurance.
Maharaj says rich data held by retirement funds and their service providers, including the names, identity numbers, tax numbers, age, gender, salaries, fund values, employer details, beneficiary details and contact details of millions of members makes the industry a target for cyberattacks.
A year ago, Liberty's e-mail repository was hacked and the hackers demanded a ransom. But Maharaj says this was not the only financial services company that has been the victim of a cyberattack recently.
Croock says attacks are happening all the time and his company is dealing with a breach at a major bank. He says hackers are intercepting information about large trades that financial services companies will execute and using this information to buy shares or short sell them for their own gain at the companies' expense.
He hasn't yet dealt with a breach at a retirement fund, "but it is coming", he says.
Describing the increase in cybercrime as "terrifying", the Financial Sector Conduct Authority's executive for regulatory strategy, Caroline da Silva, says the FSCA is seeing an increase in reports about cyberhacking attempts and is concerned about the vulnerability of the financial services market to cyberattacks, and the implications this will have should savings or personal data be compromised.
Liberty's senior executives told Money this week that the company is continually investing significant resources to ensure it protects its customers and their data.
However, the methods used by highly sophisticated criminals are evolving at the same pace as those used to protect data, they say.
Alexander Forbes's head of product development and research, Michael Prinsloo, says cybersecurity risks are definitely increasing, but they are not peculiar to the retirement industry. The risk of a major hack in a fund is as great as the risk that your investment or bank account could be cleared out by criminals, he says.
There are a number of entities responsible for your retirement investments, from asset managers to custodians, who would all need to be hacked to clear out a retirement fund, he says.
Da Silva says the regulator is working with its own experts to determine how to respond when a company notifies it that its systems have been hacked and what it should advise the company to do if it does not know how to respond to a cyberattack.
She says the regulator is reviewing all its standards on cyber-risk and cyberprotection to ensure they are sound and that responsibility for the risk is proportionate to the size and role of the service provider.
Sanlam has written to the regulator outlining its exposure to an attack and expressing its concern that other companies do not have the capability and resources to protect data and investments, says Da Silva.
The FSCA and its experts need to determine if the measures adopted by administrators are adequate and, if not, how the regulator should respond, and whether the regulator could send in its own team if a provider is hacked and not able to deal with the breach, she says.
Maharaj says Sanlam has prepared a set of questions that it believes will help employers and consultants to determine if their retirement fund administrators are "cyber-resilient". A major breach at any administrator will erode trust and create problems for the entire industry, he says.
Trustees have a fiduciary duty to ensure fund members' data is secure, and consultants can also be held liable by employers for their advice about administrators for their employer-sponsored funds.
If trustees or advisers do not know who has the requisite skills to deal with ever-increasing cyberthreats, they should hire experts to advise them, says Maharaj.
Da Silva says legislation regulating financial institutions includes strong governance principles about how companies must be adept at managing risks.
Maharaj says the Protection of Personal Information Act and the King 4 code of corporate governance oblige companies to not only secure your data but also identify reasonably foreseeable risks and implement safeguards against them. A cybercrimes bill has also been tabled in parliament. It will oblige financial services providers to report any form of cybercrime, he says.
Croock says financial services companies are reluctant to pay for services such as vulnerability assessments and regular cyber audits, especially as many are priced in US dollars, or to pay premiums on insurance cover, as this inflates their costs and detracts from their performance in a competitive market.
Liberty's executives agree that staying abreast of information security requirements is expensive but say this is not a reason for the trustees to totally ignore the issues. Larger administrators can share costs across larger member bases.
Maharaj says the industry is fixated on costs, but fails to see that a small saving on administration could mean the difference between secure data and investments and an administrator that is like a house with no burglar guards, security gates or alarm.
Prinsloo agrees the focus on fees could prevent spending on necessary security measures, which highlights the need for employers and consultants to deal with reputable administrators.
Liberty says its umbrella fund and its trustees are insured under a fidelity guarantee policy and the company provides comprehensive insurance cover for crime, professional indemnity and cyber-risks.
Prinsloo says very few funds have insurance for anything more than 2% to 5% of the fund - mainly to cover the costs of recovery of data and legal issues that may arise.
What can you do to lessen the risks?
• When retirement fund members submit information to an administrator, they should do so via secure portals, says Liberty.
• The administrator says everyone needs to be vigilant with their personal information. It is always good digital practice to change your password regularly and to refrain from using the same password across multiple devices and platforms.
• Make sure you have a strong password, with a combination of upper-case letters, lower-case letters, symbols and numbers, where applicable. It is also best practice to change passwords only via secure platforms, it says.