You receive a phone call from your company’s Corporate Secretary while traveling in Asia that your global pension fund has been hacked. It is quite likely that the Wall Street Journal or the Financial Times will publish articles about the incident within the next 24 hours. What preparations have you and your fellow trustees put in place in anticipation of such an event?
One of the most important duties of a fiduciary is to maintain the safety and security of information in the employees’ retirement and health safety accounts. It is not enough to say “we encrypt our data”. What proof can you provide that there are steps in place to maintain the integrity of the employee information?
The National Institute of Science and Technology (NIST) in the US provides a variety of resources to help improve cyber security. The NIST Cyber Security Framework “specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.”
Based on the ISO27001:2013 Global Standard, the Framework details a set of cybersecurity activities, desired outcomes, and applicable references that are common for non-profit as well for-profit organizations. The following functional levels are at the core of the framework:
* Identify: what systems need to be secured and at what level?
* Protect: what processes do we have in place to protect the data?.
* Detect: in monitoring our retirement funds, how do we detect an intrusion?
* Respond: how do we respond if/when a breach occurs?
* Recover: what steps do we need to take in case our security is compromised?
Following the above functional areas and their underlying criteria enables fiduciaries to demonstrate that they have taken the appropriate steps to identify what the crucial data is, show how that data is protected, and be able to provide assurance that when a breach occurs, that a process is in place to respond and recover. Significant cost savings can be obtained through lower insurance premiums and less downtime during recovery. Board members, fellow trustees and employees can sleep at night knowing that world class efforts have been made to secure their private information.
Following a conversation with your senior risk management team, you feel prepared to brief the full board and assure them that there are adequate plans in place to mitigate the damage and quickly recover. In addition to communicating within the company, your legal and communications teams are ready to respond to any enquiries from the press and the federal authorities.