During the 1st quarter of 2020, many pension funds were forced to rapidly deploy technology in response to Covid19 to enable a remote workforce. IT teams across the globe worked quickly to deploy laptops with VPN capabilities and to enable cloud solutions (such as Zoom or Microsoft Teams) to meet operational needs. As a result, the attack surface for pension funds expanded from the controlled corporate network to cloud services accessed from the homes of employees and 3rd parties as shown above.
After the initial rush and associated avalanche of challenges and lessons learned, funds emerged with an understanding that a distributed workforce model could yield sustainable operational success. However, cyber criminals are now taking advantage of weakened cyber defenses, leading the US Cybersecurity and Infrastructure Agency (CISA) to issue guidance to employers.
As a result, many pension funds are now asking the same question – “What does the future mean for my organization’s cybersecurity?”
While the initial response to Covid-19 led to many new security tactics, cyber criminals will continue to evolve and threaten this new landscape. As fiduciaries of the fund, it is imperative that pension funds review their cybersecurity approaches and ensure they align to emerging threats of the new cyber landscape. Ideally, these strategies should be governed in an identical manner as financial and investment risk management.
For organizations starting out on this journey, here are 3 areas that all organizations should focus on to strengthen cyber defense as a result of Covid-19:
Similar to actuarial and financial audits, funds need to assess their ability to protect against current and future cyber threats leveraging a tested framework. As a result, many organizations have adopted the Cybersecurity Capability Maturity Model (C2M2), developed by the Departments of Energy (DOE)and Homeland Security (DHS), to assess their current cybersecurity posture and developing risk mitigation strategies. The C2M2model will assist funds with:
· Completing a Self-Assessment of existing policy and procedures
· Developing a Gap Analysis of potential cyber vulnerabilities
· Building a Prioritization Matrix based on risk and cost, and
· Tracking an Implementation Plan to improve cyber maturity
Developing a sound access control policy that governs a diversified user group will protect against cyber threats. The access control policy should identify your organizations strategy in handling the following types of access:
· Employee Access – Access should be limited based on the employee’s role within the organization. Password complexity and reset rules should be strictly enforced.
· Administrative Access – Internal administrative accounts need to be governed by a privileged account management tool to add a critical layer of defense.
· Member/Employer Access – Access should be vetted and reviewed regularly. Multifactor authentication protocols should be implemented as a requirement.
· 3rd Party Access –Security evaluations should be completed to assess the 3rd party’s cyber defenses prior to granting system access. Administrative accounts should require the use of VPN and a privileged account management tool.
Building protections around personally identifiable information, protected health information, and financial data is a critical approach of reducing the threat of a cyber breach. Funds need to build a data protection strategy that allows for real-time monitoring and control of sensitive information. These controls should be governed by System Communication and Information Integrity policies to mitigate the potential leakage of protected data. The controls should focus on extending beyond the corporate network to ensure proper governance for a distributed workforce.
Starting these initiatives can improve your organization’s cybersecurity maturity, but keep in mind - Cyber threats don’t rest, they persist. Fund fiduciaries would be wise to follow the same strategy.