In 2021, days after the Canada Pension Plan Investment Board made a $315 million investment deal for a five percent stake in the Texas-based software firm SolarWinds Inc., SolarWinds systems were hacked by Russian hackers, sending its share prices spiraling.[1] The incident and incidents like these have unfortunately become daily news globally. Not surprisingly, the Canadian Financial Services Risk Outlook Survey has ranked geopolitical and cybersecurity risks in the top five risks to financial services in Canada this year.[2] 

Strained relationships between the world’s superpowers are increasingly becoming a risk that pension plans need to consider not just in how they are investing but also in how they protect plan information and assets from cybersecurity threats. Canadian regulators have also turned their attention to the importance of cybersecurity and imposing requirements for governance as well as developing guidelines for cybersecurity practices in recognition of the growing importance of cybersecurity. 

The current geopolitical environment’s effect on cyber risk 

The last few years have been a trying time for the world.  From the COVID-19 pandemic to the invasion of Ukraine by Russia, and heightened tensions between the US and China, an unpredictable geopolitical environment has ensued. While tanks rolled across the Ukrainian border in early 2022, the war on Ukraine had already been happening for years. The Russian military has been linked to several cyber attacks attempting to cripple various international entities, including Ukraine’s key infrastructures. In 2017, the NotPetya attack, that has since been tied to the Russian military, shut down multiple Ukrainian organizations ranging from banks, ministries, electricity firms and newspapers, and affected organizations in other countries.[3] 

What does this mean for businesses and specifically pension plans? 

While traditionally seen as separate risks, when tied together, geopolitical and cyber risks represent a new form of warfare. For years, many believed cyber attacks were threats isolated to those in the technology sector, however, cyberspace has become a battlefield joining traditional domains such as land, water and air. Unlike the others, however, cyber space is the one area that offers the highest degree of anonymity and deniability, potentially eliminating the possibility of holding offenders accountable.[4] This is attractive to nation states that seek to attack and destroy those who they deem as enemies. In fact, with the challenges Russia has faced in Ukraine, the cyber attacks attempting to cripple Ukraine have reportedly increased with Russia turning to cyber domains to slow down the Ukrainian counteroffensive. 

Prosecution of such cyber threat actors is also unlikely given the uncertainty of location and potential jurisdictional issues. 

Pension plans are especially vulnerable as they hold vast amounts of personal and financial data. Pension plan administrators need to be vigilant now more than ever in protecting themselves not just against domestic but also foreign threat actors. 

How have pension plans been affected?

In 2022, Hong Kong Watch, the U.K. based human rights watchdog, released a report calling on Canadian pension plans to use Russia’s invasion of Ukraine as an example and to stop investing in China.[5] In early 2023, the Ontario Teacher’s Pension Plan reportedly paused private deals associated with China due to the geopolitical risk.[6] Canadian pension plans are examining the geopolitical environment and having to make tough choices in order to mitigate the growing risks that are emerging in the wake of the Russian invasion of Ukraine and tensions with China. 

Data with respect to cybersecurity breaches in Canada is not easily available as reporting requirements vary and for the most part only require material breaches to be reported to the applicable privacy commissioner or regulator. Looking to other parts of the world, however, we can expect Canadian pension plans are facing somewhat similar risks. The United Kingdom’s Information Commission Officer reported that since the beginning of the Covid-19 pandemic, there have been an average of five cyber attacks on pension schemes a month.[7] In the Netherlands, 5% of pension schemes have suffered cyber attacks, leading the Dutch pension regulators to warn that all pension schemes must now take IT security into their risk assessment framework.[8] The numbers are likely significantly higher when taking into account third-parties pension plan administrators use.

What can pension plans do to mitigate some of the risk? Canadian regulators have started to turn their attention to providing best practices in ensuring pension plan administrators are fulfilling their fiduciary duties. 

Canadian regulators weigh in

Although there is no bullet proof way of fully protecting an organization against a cyber attack, polls show that the amount of money being spent in Canada on cybersecurity from 2019 to 2021 increased by $2.8 billion to $9.7 billion.[9] With the shift to working from home during the pandemic and the security risks this brought, we expect this number to be much higher today. 

Following suit with other jurisdictions, regulators in Canada have increasingly turned their attention to ensuring pension plan administrators fulfil their fiduciary duties through the implementation of appropriate governance procedures and policies, including considering cybersecurity risks. The Canadian Association of Pension Supervisory Authorities (CAPSA), whose members include all Canadian pension regulators among others, has issued draft guidelines on Cyber Risk and Environmental, Social and Governance (ESG) Considerations as part of its risk management guidance.

In addition to CAPSA, several regulators at the federal and provincial levels have released guidelines or are in the process of consulting on guidelines with their stakeholders, including: the Office of the Superintendent of Financial Institutions’ (OSFI) Technology and Cyber Risk Management Guideline (Guideline B-13), the Financial Services Regulatory Authority of Ontario’s (FSRA) Proposed Information Technology Risk Management Guidance and the British Columbia Financial Services Authority’s (BCFSA) Outsourcing and Information Security Guidelines.

The guidelines provided from the Canadian regulators have been principles based, providing guidance on developing procedures and processes based on proportionality and risk assessment by the pension plan administrator. 

Several jurisdictions also have legislative requirements for governance policies, including federally and for provincially regulated plans in British Columbia, Alberta, Manitoba, Quebec, New Brunswick and in Ontario (for target benefit plans with further requirements expected for other plan types). As part of this, the legislation requires plans administrators to identify the material risks that apply to the plan and establish internal controls to manage those risks. With the adoption of guidelines on cybersecurity we expect plans to focus on establishing appropriate governance processes and procedures to manage cyber risk. 

Best Practices

As part of establishing a governance structure that includes cybersecurity, pension plan administrators should include the relevant parties in the process, including IT professionals, management and the Privacy Officers. Tabletop exercises to test incident response plans are important to help everyone understand their roles and responsibilities and any policies and procedures that are documented. 

In addition, involving employees will raise awareness of the policies.  It is important to have ongoing learning opportunities, even mandatory ones, as over 80% of data loss incidents are attributable to human error. 

Since most pension plans outsource various responsibilities and tasks, reviewing third-party service providers is a major part of risk management. It is crucial for the pension plan administrator to understand that although it may delegate certain tasks to third parties, it retains fiduciary responsibility. As such, plan administrators should confirm that third parties have the appropriate cybersecurity processes and systems in place. This can and should also be done through contracts with the appropriate terms in places, including with provisions addressing subcontracting, privacy and document retention, breach notification, insurance, etc. 

While many plans have turned their attention to cyber security given the geopolitical environment, there is always room for improvement particularly since there are constantly emerging risks and methods to attack, commit fraud and compromise systems.