EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
How EY can help
-
Our state, local and higher education team can help your agency transform how you engage with your residents. Find out more.
Read more
Common areas of vulnerability
Cybercriminals will often attempt to gain access to public pension systems through common areas of vulnerability. Organizations can significantly benefit from enhanced vigilance surrounding the following areas:
- The pension provider’s website
- Member and employer portals for pension administration
- Investment operations conducted by staff
- Third-party service providers, such as investment service providers, like custodians and asset managers
Identifying the risks involved with vulnerabilities in each of these areas is vital to protect the organization from attack.
The pension provider’s website
The website that members and retirees use to access their information is readily available online. Unfortunately, this availability also exposes it to hacking and cyber attacks. Add to that the fact that many public pension providers, even with security software in place, are vulnerable to attack if this software is not upgraded correctly.
Risk is added to this area if the website does not have adequate security protocols in place. For example, encryption, firewalls and two-factor authentication are security measures that may not always be in place, but are necessary. In addition, as the frequency of cyber attacks increases, tactics that criminals use to gain access through providers’ websites constantly becomes increasingly sophisticated and must be met with an equal level of sophistication.
Member and employer portals for pension administration
The portals that public pension providers’ members and employers typically use to send and receive information to and from the provider are a source of vulnerability. These access points can often provide a fertile place for phishing scams, which a hacker will use to steal a user’s login credentials to access their sensitive personal and financial information. Similarly, cybercriminals could contact the pension provider directly to execute an account takeover and redirect the member’s funds to themselves.
Investment operations conducted by staff
A particularly attractive target of cybercriminals attempting to access a public pension provider’s network is the investment operations conducted by its staff. Criminals could gain access to investment information if the provider’s staff are not adequately trained or aware of cyber attacks, like phishing. By gaining knowledge of the organization’s investment operations and what investments it manages, the criminals could manipulate investment transactions to redirect these investment funds to their accounts. Although much similar to the member takeover in which the criminal would redirect the funds intended for the member, redirecting these investment funds represents a potential payout to the criminal on a much larger scale. A loss of this magnitude would have a significant negative financial impact on the provider.
Third-party service providers, such as investment service providers, like custodians and asset managers
Third-party service providers hired by public pension providers are another potential access point for cybercriminals. Some of these third-party service providers are enormous companies serving many massive clients, making them desirable targets of cybercriminals. Once criminals gain access to one of these companies, they often have access to all of its clients’ systems.
If these third-party vendors aren't adequately vetted before allowing them access to the system, the pension provider’s system is open to attack. In addition, these vendors may need proper cybersecurity measures in place, employee security training may need to be improved, and the possibility exists that any smaller vendors that these larger vendors use may also have inadequate security measures. Breaches of massive vendors serving large clients, like US government agencies and public pension providers, have made global news in the last few years, severely damaging the reputations of both the vendors and their clients and reducing confidence in their members. For example, the very public breach of a large IT solution provider saw it affect its customers, including the US departments of Health, Treasury and State. Damage is estimated to be in the billions of dollars, with residual issues caused by this breach that may take many years to resolve completely.
How is the organization addressing the cybersecurity challenges that it faces?
To adequately address an organization’s cybersecurity challenges, proper risk management must be applied from the board level down. Defining the organization’s cyber risk appetite and producing accurate and up-to-date reports to enhance decision-making are necessary to make this happen.
According to the EY Global Information Security Survey of 2021, “Eighty-one percent of executives say that COVID-19 forced them to bypass cybersecurity processes.” To get back on track and properly meet the rising cybersecurity risks, these organizations will either need to accurately represent their cyber risk profile or receive it in a way that senior decision-makers can use it to make proper decisions regarding cyber risk. This process starts with properly assessing the organization’s risk level and communicating this information to leadership.