Administration October 19, 2023

What Can Plan Sponsors Do To Vet a Provider’s Cybersecurity Processes?

Speakers at PLANSPONSOR’s Cybersecurity livestream address vulnerabilities exposed by the MOVEit breach and offer tips on assessing partners’ defenses.

Reported by

How can asset owners, plan sponsors and plan advisers scope out the bona fides of cybersecurity vendors, whose expertise is key to protecting networks and other digital assets from breaches?

A panel at the “Vetting Providers’ Cybersecurity Processes” session of PLANSPONSOR’s livestream event October 12 offered tips to allocators, investment managers and others who want to protect themselves from the legions of hackers. It was moderated by Glenn Davis, deputy director of the Council of Institutional Investors.

Get more!  Sign up for PLANSPONSOR newsletters.

One vital tool, according to the panelists: audits of third-party providers done under the auspices of the Service Organization Control Type 2 (known as SOC 2) compliance framework, established by the American Institute of Certified Public Accountants, designed to ensure the security of client data handled by third-party service providers.

The framework specifies how organizations should manage customer data. Further, speakers discussed the use of the SOC 2 Type 2 report, which outlines a company’s internal controls and details how well it safeguards customer data, specifically for cloud service providers. Specifically, a third-party audit can show if security protocols are safe and effective.

“This drives confidence and removes speculation” in the screening procedures of providers, advised Jon Atchison, senior lead of governance, risk and compliance at investment adviser firm CAPTRUST, .

As an example of what can go wrong, Atchison, one of the speakers on the livestream, pointed to one of the most recent large cybersecurity failures: the breach of MOVEit file transfer software, which affected sensitive personal data from governments and businesses and involved 3.4 million people. “MOVEit wasn’t the first and won’t be the last,” he said.

One task for providers is to guard against threats from employees and other insiders, said panelist Allison Itami, a principal in the Groom Law Group, whose ERISA practice focuses on data privacy and data security. These in-house folks can pose a risk of theft or fraud, she added. “As long as humans are involved,” cyber vulnerabilities will be around, Itami warned, and a lot is at stake. “If you lose money or have a data breach, trust is eroded.”

What’s vexing is that there is no absolute shield against cyber mischief. “No one can be 100% safe,” said panelist Mario Paez, national cyber risk leader at Marsh McLennan Agency, which sells insurance to organizations to protect against breach liabilities.

Some think that other business insurance, not tailored to digital crime, will be sufficient—and they are wrong, Paez said. Certainly, specialized cybersecurity policies are complex, “and the devil is in the details,” he admonished. For that reason, Paez continued, it pays to get a cybersecurity-savvy insurance broker to advise on what is best for a company’s particular needs.

Insurance must cover a range of necessities that can be created by a breach, he said, including extortion coverage in the case of a ransomware attack; business losses; the costs of notification to people affected by a breach; and forensic probes of how and why an incident occurred.

Administration October 18, 2023

Can Tools Help Companies Evaluate Cyber Risks of Vendors or Sectors?

Speaker discusses ways to gauge hacking vulnerability during PLANSPONSOR’s Cybersecurity livestream.

Reported by

MGM stock is down nearly 13% since the beginning of a cyberattack that destabilized operations at the casino giant last month. This poses a big question for asset owners: How do you determine what stocks are safe to invest in from a cybersecurity standpoint? The MGM hack, and other incidents in recent years, have shown there are consequences not only for a company, but for other companies it does business with and its shareholders.

But how can plan sponsors insulate themselves from cyber risks when making business decisions? What industries are most susceptible to cyber-attacks? These questions were central to a presentation at PLANSPONSOR’s October 12 Cybersecurity livestream event, by Doug Clare, head of cyber strategy at ISS Corporate Solutions, which, like PLANSPONSOR, is owned by Institutional Shareholder Services Inc.

Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news.

ISS ESG Cyber Risk Score

ISS has developed a rating, the ISS ESG Cyber Risk Score, that evaluates a company’s susceptibility to cyberattacks. The metric aims to quantify what industries and companies within the Russell 3000 Index are exposed to digital threats.

The score is designed to measure the odds of a digital attack affecting the company within the next 12 months. The rating leverages data gathered on a continuous basis regarding network and domain posture, construction and evidence of compromise. The score is a scaled representation of the odds of a breach incident ranging from high risk (300) to less risk (850).

At Risk Industries

According to Clare’s presentation on sector-relative cyber risk, 33% of companies experienced a breach or disruption within the last 12 months. However, some industries are more at risk than others.

According to ISS research, the most at-risk industries in the Russell 3000 are technology, media and telecom. The least at-risk sectors are health care; energy and utilities; and finance and banking, all significantly lower than the average risk of all industries.

What It Means for Investors

The ISS ESG Cyber Risk Score can play a role in vetting vendors, contractors, partners or other service providers regarding the digital risks they could present. It is one tool institutions can use in the due diligence process.

“There is a documented impact on share price when breach events occur, the score does translate directly into breach incident odds, and I think it has a meaningful role to play in evaluating risk,” Clare said. “If cyber breach risk is something you are concerned about, this is a metric you could and should look at.”

As seen with MGM, cyberattacks can have double-digit impacts on the price of a company’s shares and add millions in cost to its spending. In the modern age, this is something investors should monitor and evaluate. The ISS ESG Cyber Risk Score offers a tool to develop a better understanding of a company’s potential exposure to such attacks.

«