Memorandum  #32: Cybersecurity and Internal Controls

TO:                  All Retirement Boards

FROM:            John W. Parsons, Esq., Executive Director

RE:                  Cybersecurity and Internal Controls

DATE:             December 2, 2021

The threat of cybersecurity intrusions into personal and professional devices and IT systems has become increasingly frequent and varied.  Despite the best efforts of entities large and small to protect their data and assets, successful attacks continue to occur.  In prior PERAC Memorandums, most recently on October 26, 2021, PERAC has alerted retirement boards to hackers posing as individual members, board vendors, and even board employees.  While PERAC, MACRS, and retirement boards have all placed additional emphasis on cybersecurity in the recent past, it is clear that more needs to be done. Due to this ongoing proliferation of illicit hacking activity, PERAC is hereby announcing a number of additional steps and initiatives aimed at maximizing security and awareness of the vulnerability of system assets and protected information.  While we anticipate that certain actions outlined below will be memorialized in regulation in 2022, all board actions called for below are effective as of the date of this memorandum. 

1. Any attempted or successful cyber intrusion into a system’s network, email, or databases, or unauthorized activity by a third party, shall immediately be reported to PERAC.  This will enable PERAC to assist the retirement board and bring valuable security information to all retirement boards in a timely manner.
2. Boards should seek an immediate assessment of their IT environment in conjunction with their IT service provider.  Whether the board’s IT services are received through a municipality or by independent contract, it is incumbent upon the board to assess and maintain a secure IT environment consistent with present-day security features.
3. In the first quarter of 2022, PERAC will be hosting a comprehensive cybersecurity awareness program for board members and staff, featuring experts from Massachusetts’s oversight agencies.  All retirement system staff and board members are strongly encouraged to attend.
4. Also beginning in the first quarter of 2022, PERAC’s education program for boards and staff will feature the development of an Internal Control Plan (“ICP”) at each retirement board.  In addition to the training program, PERAC will provide boards with a sample ICP that can be adapted to a board’s personnel structure.  Increased emphasis during PERAC audits will be placed on internal control processes relative to IT security, investment transactions, cash management, and retirement functions such as calculations, buybacks, etc.

We have also included a link to cybersecurity guidance, developed specifically for pension plan sponsors, fiduciaries, and participants, and published by the Department of Labor earlier this year.

This guidance addresses 3 specific areas; Hiring a Service Provider, Cybersecurity Program Best Practices, and Online Security Tips. www.dol.gov/newsroom/releases/ebsa/ebsa20210414. 

In summary, strong IT security and internal controls are the best remedy to combat the extensive efforts being made to compromise our systems.  We urge all boards to prioritize this effort and work with PERAC and your municipalities to safeguard our information and assets.  Our collective, coordinated initiatives are critical to maximizing this effort.

Philip Y Brown, Esq., Chairman
Auditor Suzanne M. Bump
Kathleen M. Fallon
Kate Fitzpatrick
James M. Machado
Richard MacKinnon, Jr.
Jennifer F. Sullivan