Archimedes (285-212 B.C.) set out to measure the circumference of a circle (or as he might have called it, the “enclosed boundary of a geometrical space”) by measuring the straight sides of an increasingly large number of smaller and smaller polygons, both inside and outside the circle. He soon realized that no matter how many polygons he used, he never could quite measure the circumference. He learned that there were bounds on both the outside and the inside of the circle that came close, but not close enough; hence his discovery of π (pi) to fill the gap. It is the same with trying to be successful in preventing cyber attacks, or what my MIT professors mean when they say “a negative goal” – something to which we can aspire for but which cannot be reached.
Both software and hardware security breaches, at least those which have been reported, cost global corporations $440 billion in 2015. Juniper Research, based in the UK, estimates that this number will jump to $2 Trillion by 2020, with over 60% of the breaches occurring in the US alone. Boards and Trustees are familiar with the concept of risk management regarding other corporate assets already; however, only recently has the idea of cyber risk to retirement assets surfaced at the Board level.
Retirement plan assets and money held in trust for others (associations, foundations, etc.) already fall under the role of the fiduciary. We anticipate the requirement to monitor cyber security protocols being included in upcoming refinements to the Global Fiduciary Standard of Excellence (GFSE) for all fiduciaries.
In a recent Advisory by the global law firm of Pillsbury, Winthrop Shaw and Pittman (23 February, 2016), Pillsbury helps illuminate the issues facing plan fiduciaries:
“Retirement plan sponsors face ever-evolving cyber-related threats to plan assets and participant personal information. To combat such threats, plan sponsors should proactively assess the third-party service providers’ ability to detect, prevent and respond to cyber attacks against the retirement plan. In order to minimize a retirement plan’s overall cyber risk profile, its sponsor(s) must implement a cyber risk management strategy, including focusing on evaluating its third-party service providers’ cyber security programs, performing periodic assessments of such programs, and ensuring that the retirement plan has mitigated risks from losses in the event of a cyber attack.”
In particular, the Advice provides suggestions on what a cyber risk management strategy might include as the basics:
The truth is that the ever changing rules of engagement in cyber security and the increasing sophistication of the attacks mean that, as the Advisory points out:
“… a retirement plan sponsor and plan administrator should focus on risk management, and not risk elimination, that can be achieved by the sponsor’s and plan administrator’s vigilance in establishing cyber security procedures and protocols with respect to its TPAs. Failing to do so may result in irreparable consequences for the plan sponsor, the plan administrator, the retirement plan and the participants.”
Cyber security is no longer just an “IT issue”. C-suite executives, trustees and board members are increasingly more aware of the issue, especially since the recent publicity surrounding Apple and encryption. Proper fiduciary governance must include a strategy to detect, react and solve cyber breaches, for they will happen. Complete security from cyber intrusions is unobtainable, very much like using polygons to measure the circumference of a circle.