Cybercrime is a growing threat to financial institutions worldwide, and retirement funds are no exception. Here are 6 things trustees should know.
1 Cyber insecurity ranks 4th in the World Economic Forum Global Risks Report 2024’s top 10 global risks for the next two years. It moved up four places from last year.
2 Retirement funds hold vast assets and sensitive member information, making them prime targets for attackers. If retirement funds do not have the proper cybersecurity measures in place, cybercriminals can steal members’ information and commit identity theft. These attackers can also disrupt operations (i.e. they cause systems to crash or shut down and members might not be able to receive payouts). Some attackers even blackmail retirement funds to pay a ransom to restore functionalities.
3 The largest cyberattack on a retirement fund was in February 2024 to the Government Pensions Administration Agency (GPAA), which manages the Government Employees Pension Fund (GEPF). The ransomware group LockBit gained access to the GPAA’s systems. According to MyBroadband LockBit set a deadline of 11 March 2024 for the GPAA to pay the ransom money.
The GPAA refused and LockBit then released a 668 GB file allegedly containing data stolen from hundreds of government employees on the dark web.
4 In light of the above, the findings on cybersecurity of PwC South Africa’s seventh annual Retirement Fund Survey released in April 2023 are worrying. The survey included 60 funds, 15 of which have assets above R10 billion. Eleven percent of the participants indicated that their fund and/or service provider had a cybersecurity threat and/or attack during the last financial year while 11% had no idea of any attacks. The survey also found that one out of three trustees wasn’t too concerned about cyber risks, and a significant number of funds lacked adequate insurance policies for financial losses caused by cyber incidents. What is your board of trustees’ stance on the matter?
Figure 1: Participants who indicated that the fund/or a service provider of the fund had a cybersecurity threat and/or attack during the most recent financial year
5 The government and financial regulators have taken steps to address the cybersecurity challenge. In May 2024 the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) published the Joint Standard 2 of 2024: Cybersecurity and Cyber Resilience, which is likely to come into effect in June 2025. The Joint Standard applies to financial institutions such as pension funds and administrators and requires them to implement robust cybersecurity measures.
6 In terms of section 7D of the Pension Funds Act, retirement fund trustees must do everything reasonable to protect the members’ savings. Even if they hire other companies to handle some of the fund’s work, ultimately the trustees are responsible for keeping the fund’s information and assets safe.
Under the administrative penalties imposed in terms of section 167 of the Financial Sector Regulation Act of 2017, trustees of retirement funds can be held personally liable for failing to implement the provisions of the Joint Standard.
The FSCA and the PA have emphasised that trustees have to ensure compliance with these standards. Non-compliance could result in substantial penalties, including personal liability for losses resulting from a data breach.
Sources
Bowmans Law: South Africa: Cybersecurity and Cyber Resilience Joint Standard – Implications for pension funds
Pensionsworld SA: Retirement funds and cyber security compromises
Funded by
