Traditional asset managers, hedge funds, and private equity firms are spending billions to protect against hackers and cybersecurity attacks. But public pension plans, which are often understaffed and underfunded, are among the most vulnerable. Still, no matter how much is spent to protect vulnerable systems, the breaches often involve simple ruses.
According to reporting from the St. Louis Dispatch-Post, the Public School and Education Employee Retirement Systems of Missouri, a $56.4 billion public pension plan, fell victim to a cybersecurity attack when an employee’s email was accessed by an unauthorized user on Sept. 11.
“The impacted email account was quickly disabled,” Dearld Snider, executive director of the Retirement Systems of Missouri (PSRS/PEERS), told Institutional Investor in an email.
“The unauthorized individual did not gain access to PSRS/PEERS’ internal operating system. In addition, there is no evidence of fraudulent activity as a result of the incident.”
Since the system became aware of the breach, it has been identifying and notifying affected individuals and “reviewing security protocols to prevent incidents of this type in the future,” Snider said.
According to Snider, the system sent a letter to all affected parties and is offering a free 24-month membership of Experien's IdentityWorks, a credit- and identity-monitoring program.
“There is no evidence that this incident is related to any other recent governmental entity events,” Snider said.
While the incident appears isolated, it prompts questions about the robustness of public pension plans’ cybersecurity infrastructure.
For cybersecurity expert Anthony James, who is the vice president of product marketing at InfoBlox, these attacks are routine and often start with familiar strategies like spamming and phishing.
“It really isn’t a game of hacking,” James told II. “It’s the fact that a user accidentally volunteered this information, either on email or social media.”
An attack is typically a result of the perpetrator engaging with a user who “has some type of privilege over a system,” James said. For example, a perpetrator may use information found on LinkedIn or a company’s website to target employees who have access to specific information. James said attackers often harvest this data before crafting their attack.
The potential implications of a data breach are large and widespread, James said: “Once you get access into a trusted environment, like email, you’re basically unlocking whatever the attacker wants.”
Even asset managers that are better equipped financially than most public pension funds can’t completely seal themselves off from threats. In an October survey, KPMG found that only 11 percent of 1,300 global respondents, which included private equity, hedge funds, and asset managers, were prepared for a cyberattack. Seventy percent of those were hoping for an industry-wide solution that would address increasingly common ransomware demands. The pandemic and remote work has made the problem worse. Last October, six months into the pandemic, more than a quarter of family offices reported a data breach.
To avoid these kinds of routine attacks, James urged companies to enact basic cybersecurity practices, such as two-factor authentication, and adopt a “zero trust” philosophy. The zero trust philosophy encourages users to distrust everything within the network, requiring multiple layers of access. For instance, a user may be able to access multiple devices, but they may be prompted each time they sign on to verify his location. While these measures are familiar to many finance professionals, they’re still not in place everywhere.
“Zero trust, both as a framework and a technology, is a way to circumvent these gaps in the cybersecurity awareness of users and technologies,” James said.