2024 Public Sector Perspectives

Strengthen cyber security Risks associated with cyber security are challenging to assess. Moreover, the incidence of attacks – while increasing – is relatively low. At the same time, the costs of ongoing cyber security can be significant. The imbalance between the low likelihood of disruption and relatively high prevention costs may prompt PPFs to cut corners. Failure to take cyber security seriously can result in a catastrophic loss of assets, significant reputational damage, personal responsibility for losses for senior management, regulatory penalties and high post-attack response costs. UK outsourcing firm Capita, which administers 450 pension schemes with a total of 4.3 million members, for private and public sector clients (including local councils, the military and the health service) was hacked in March 2023. The company estimates that costs from the attack will reach £25 million ($30 million); potential regulatory fines related to the attack have yet to be determined. 3 PPFs seeking to improve their cyber security need to address three main risks: a. Third-party exposure: The risk of data leakage from the PPF’s external partners such as investment managers or custodians. Some pension funds have specific requirements regarding data localization and confidentiality settings; b. Data exposure: The risk of malicious hacks resulting in direct data leakage from PPFs themselves; c. Cyber fraud: The risk of hackers impersonating another individual to steal data or money from the PPF. At a high level, centralization and automation can do much to manage cyber security risks and make it easier to incorporate good cyber security habits into PPFs’ daily operating processes. PPFs should also take advantage of the capabilities and knowledge of their banking and custodial partners. In addition, the UK Pensions Regulator’s code of practice, 4 which sets out expectations for trustees, provides some valuable guidance. Among its recommendations are the need to: • Clearly define roles and responsibilities to identify cyber risks and breaches, and to respond to cyber incidents. • Assess, at appropriate intervals, the vulnerability of the scheme’s key functions, systems and assets (including data assets) and the vulnerability of service providers involved in the running of the scheme. • Consider accessing specialist skills and expertise to understand and manage risk. • Maintain a cyber incident response plan in order to safely and swiftly resume operations. • Take actions so that policies and controls remain effective. 3 https://www.theguardian.com/business/2023/aug/04/cyber-attack-to-cost-outsourcing-firm-capita-up-to-25m 4 https://www.thepensionsregulator.gov.uk/-/media/thepensionsregulator/files/import/pdf/full-draft-new-code-of-practice.ashx Conclusion The coming years will be critical for PPFs as they navigate multiple challenges and uncertainties, not least demographic pressures. Many PPFs have ambitions to generate alpha from their investment activities and are keenly focused on the diminishing real returns of traditional asset classes, the shift into private equity and other alternative asset classes, and the implications of heightened geopolitical tension. However, the need to pare down costs in order to generate operational alpha is equally important and should not be overlooked. Ideally, PPFs should take a holistic approach encompassing both investment strategy and operational efficiency, as changes in the former have important implications for the latter. Improving operational efficiency requires greater transparency, digitalization, automation, centralization, enhanced data security and myriad other factors such as talent management. The scale of the challenge can seem daunting. However, PPFs do not have to embark on their quest for operational alpha alone. Citi provides advisory services and a comprehensive range of solutions specifically designed for PPFs’ operational ecosystem that can help them achieve their efficiency objectives and ensure they deliver for their pensioners. Improving operational efficiency requires greater transparency, digitalization, automation, centralization, enhanced data security and myriad other factors such as talent management. Citi Perspectives for the Public Sector 55 54 Public Pension Funds: Seven Steps to Operational Alpha