CYBER SECURITY: Editorials: Edition: July / September 2019

image_pdfimage_print

Frightening

stuff

As the risks of hacking mount alarmingly, service providers to

retirement funds must take them much more seriously

than they now do.

Not a moment too soon has Sanlam executive Viresh Maharaj highlighted the real and present danger that poor resilience to cyber attacks can threaten SA’s entire retirement-fund industry.

In a presentation to the annual Sanlam benchmark symposium, he didn’t mince his words: a breach found in the systems of any one service provider would cause ripples of anxiety throughout the industry, which depends on customer trust, and it was possibly only a matter of time before a hacker breaks through.

If the industry did not address the high risks posed by cybercrime, he warned, within the next 10 years at least one SA retirement fund could lose all its investments. And yet, as the benchmark research shows, recognition of the risks is not commensurately accompanied by preparations to avoid them.

According to the benchmark research, consultants consider the evaluation of cyber risk as the least important business challenge and employee-benefits consultants rank cyber security as the lowest risk. They overwhelmingly believe that a fund’s administrator or sponsor should be held liable for losses in the event of cyber crime.

Okay, so hold them liable. But what then? How is the liability to be transacted when records have disappeared? Or when the administrator is faced with compensation claims in billions of rand? And what liability, if any, rests with advisers (where data loss can also occur) on whom employers and trustees rely in selecting their fund’s administrator?

One way to find out, of course, is the hard way. Another way is to mitigate the risks, so far as practically possible, by much higher levels of awareness. This implies, in the first and most urgent instance, that advisers insist on comparisons of administrators’ cyber proficiencies. It should open the way for competitive pressures to promote an industry-wide address of the control systems to avert worst-case scenarios including widescale identity theft.

Collective effort and far greater discipline are required to evaluate and monitor cyber resilience, Maharaj urges. He points out that only on a few occasions, across 8 000 quotes, has Sanlam been asked about it.

The research uses a 2018 Refinitiv survey to reveal the cost of financial crime. Of 2 373 global respondents (123 from SA), some 20% had experienced financial loss from cyber crime. The average cost, typically at $4bn per breach, has increased by 62% over the past five years. It most recently aggregated an annual $600bn, roughly three times the annual loss from natural disasters.

Specifically in the UK, the Financial Times reports, last year financial-services companies saw a five- fold increase in data breaches compared with the previous year. This is “seen as the latest sign of how the sector is under relentless attack from hackers”.

In 2018 the companies reported 145 breaches to the Financial Conduct Authority, up from 25 in 2017. Investment banks reported the highest number of incidents at 34, up from just three the previous year, while retail banks saw the sharpest rise in percentage terms, from one to 25 incidents.

Last April it emerged that seven UK retail banks, including Royal Bank of Scotland and Barclays, had to limit or shut down their systems. This was after sustained attacks that cost them hundreds of thousands of pounds to remedy. In October, the FCA fined Tesco Bank £16,4m as a result of a cyber attack which saw £2,26m stolen from current accounts across 34 transactions.

In Europe, the Dutch pensions supervisor is concerned that the risk of data-security incidents is increasing as pension funds insufficiently factor cybersecurity into their risk assessments. It also noted that pension funds often did not have sufficient knowledge of security measures at their outsourced service providers: “As a consequence, (pension) schemes are unable to show that they are in control or make clear that measures are effective.”

It’s scant comfort that SA isn’t alone. Forewarned, Maharaj is hoping that consultants will stimulate a “herd immunity” across the sector for better protection of fund members. 

Maharaj . . . dangerous omens

The research uses a 2018 Refinitiv survey to reveal the cost of financial crime. Of 2 373 global respondents (123 from SA), some 20% had experienced financial loss from cyber crime. The average cost, typically at $4bn per breach, has increased by 62% over the past five years.