Pension and retirement systems have become a prime target for cyber criminals. These systems store large amounts of personally identifiable information (PII) that contains Social Security numbers and other details specific to an individual’s identity. Weak legacy systems make it easier to infiltrate pension systems. Furthermore, pension agencies share data with other organizations, thus lowering their own protective barriers.
Pension systems must shed false thinking about their level of security risk. Instead, they should do their due diligence to protect themselves and their member data as heartily as they can.
“We are secure.”
Many pension agencies believe they are secure, likely because a breach hasn’t yet struck them. The reality is that agencies are not secure, as large quantities of the PII they store sit on old legacy platforms. These outdated systems create a frail protective layer.
In the case of one state revenue department, 1970s equipment contributed to a data breach that exposed Social Security numbers of 3.8 million taxpayers—plus credit card and bank account data. As more agencies explore digital possibilities and engage with members through mobile and other emerging technologies, they will increase their exposure to cyber risk.
“Security costs too much.”
Security certainly has a cost, but those costs could be contained if improvements are made incrementally. Pension systems should prioritize the highest risks and protect the most vulnerable systems first. Each improvement would have the power to exponentially enhance the security posture of an agency.
The price of inaction is immense, as a data breach can open the doors for future attacks, hurt member trust, create legal issues, have regulatory implications and the cost of fixing it can be catastrophic. A data breach at a state controller’s office exposed personal data of approximately 3.5 million people and cost the agency $1.8 million to mitigate the breach.
“Our data is on the premises, so it’s safe.”
Pension agencies may house member data onsite, but they collaborate with providers outside of the organization. The protective walls of an agency come down when your systems connect to a broader network of partners or governing bodies. Furthermore, hackers don’t necessarily need access to data to do harm. Pension systems should formally examine all access points to reveal insecurities on site, or among external providers.
“New technology will keep us protected.”
As digital accelerates and agencies maximize their use of the Internet of Things, they are increasingly exposing data to unknown channels and entities. The culture within a pension system can be among the biggest cyber threats. Many employees don’t have the knowledge to discern a phishing scam from a marketing push email. They open the wrong file and you’ve opened the door to the next data catastrophe.
A cyber security assessment can help pension organizations understand their current security standing, and how they can make enhancements with existing and new technology.
The reality is that everyone has a chance of being attacked at some point. The questions are when, will hackers be able to access sensitive data, and if so, are you prepared to remedy it quickly?