Cybersecurity and retirement funds: what you need to know

Toni Cantin, Head of the ICTS Academy

Retirement funds in South Africa are facing a growing problem: cybercrime. As technology becomes more important for managing member information, investments, and communication, retirement funds are relying more on digital systems. But with this reliance comes a big risk—cybercriminals see these funds as valuable targets. From stealing personal information to holding systems hostage with ransomware, the risks are serious and can have a huge impact on both members and trustees.

In simple terms, this article explains the main cybersecurity threats retirement funds face, why they’re vulnerable, and what can be done to protect them.

What makes retirement funds a target?

Retirement funds are appealing to cybercriminals for two main reasons:

1. Sensitive data: These funds store detailed personal and financial information about members, such as ID numbers, addresses, and account details. Cybercriminals can use this information for identity theft or sell it to others.

2. Money: Retirement funds deal with large sums of money. Cybercriminals may try to manipulate systems or trick employees into giving them access to funds.

Because retirement funds rely on many service providers—like administrators, investment managers, and IT companies—there are more entry points for cybercriminals to exploit.

The biggest cyber threats retirement funds face

Phishing happens when a cybercriminal sends fake emails that look real, tricking someone into sharing essential information like passwords. For example, a trustee might receive an email that appears to be from their administrator but is actually from a scammer.

Ransomware is a type of malware that locks a fund’s systems or data until a ransom is paid. If a retirement fund is hit with ransomware, members might not receive payments on time, and the fund’s reputation could be damaged.

A data breach is when cybercriminals break into a system to steal sensitive information. For retirement funds, this could mean exposing member data, leading to legal issues and a loss of trust.

Many funds work with outside companies for administration, IT, and investment services. If one of these companies has weak cybersecurity, it could open the door for attackers to access the fund’s data.

Why are retirement funds vulnerable?

Some retirement funds aren’t as prepared as they should be. Here’s why:

• Old systems: Using outdated software makes it easier for cybercriminals to get in.
• Lack of awareness: Trustees and staff might not know how to spot cyber threats.
• Weak passwords: Simple or reused passwords are an open invitation for attackers.
• No recovery plan: Many funds don’t have a clear plan for how to manage a cyberattack.
• Trusting the wrong vendors: Relying on service providers without checking their security measures creates risks.

How can retirement funds protect themselves?

To stay safe, funds need to take a few key steps.

1. Understand the risks

The first step is identifying where the fund is vulnerable. This means looking at how systems are set up, how data is shared, and how secure service providers are.

2. Train trustees and staff

Education is one of the best defences. Everyone involved in managing the fund should learn how to spot phishing scams, use strong passwords, and handle sensitive information safely.

3. Use better security controls

• Multi-factor authentication (MFA): This adds an extra step (like a text code) when logging in, making it harder for attackers to gain access.
• Restrict access: Only people who need access to certain data or systems should have it.

4. Update software regularly

Outdated systems and software are easy targets for cybercriminals. Funds should make sure everything is kept up to date with the latest security protections.

5. Choose secure service providers

When working with outside companies, funds should check that they follow strong cybersecurity practices. Contracts should include clear security requirements.

6. Prepare for the worst

Having a plan in place is critical. A good plan includes steps to stop an attack, fix the damage, and communicate with members and regulators.

7. Encrypt and back up data

Encryption makes data unreadable to attackers, even if they manage to steal it. Regular backups ensure that data can be restored quickly after an attack.

What does the law say?

South Africa’s Protection of Personal Information Act (POPIA) requires funds to protect member information. If a fund fails to do this, it could face fines, lawsuits, or reputational damage.

To comply, funds should:

• Only collect and store the information they need.
• Regularly assess their data security measures.
• Make sure service providers also follow POPIA requirements.

The role of consultants

Consultants play a significant role in helping retirement funds stay safe from cyber threats. They can:

• Recommend secure service providers.
• Help trustees and staff understand cybersecurity risks.
• Suggest tools and practices that improve security.
• Make sure the fund complies with laws like POPIA.

By guiding funds through these steps, consultants ensure that trustees can protect members’ information and money.

Cybersecurity is everyone’s responsibility

Cybersecurity isn’t just an IT issue—it’s something trustees, consultants, and service providers must all take seriously. A cyberattack can harm members, damage a fund’s reputation, and lead to legal consequences. That’s why it’s so important to stay informed, be prepared, and take action to protect your fund.

Is your retirement fund ready to face cyber threats? If not, now is the time to act.

ENDS