NADIA GALLOWAY: Cyber resilience in retirement funds — are we ready for the new era of digital threats?

In an age in which cyberthreats are evolving at an unprecedented pace, retirement funds must prioritise cybersecurity and resilience to protect member assets and personal information.

The increasing reliance on digital platforms, outsourced service providers and artificial intelligence (AI) solutions demands a proactive approach to risk management. The question is: are SA retirement funds prepared for the next wave of cyberthreats?

The Financial Sector Conduct Authority (FSCA) has recognised the critical need for robust cybersecurity measures and stronger cyber resilience in financial institutions.

To address this, Joint Standard 2 of 2024 (cybersecurity & cyber resilience requirements for financial institutions) will take effect from June 2, reinforcing the existing Joint Standard 1 of 2023. These standards apply to financial institutions, including retirement funds and their administrators.

The second joint standard requires the establishment of a structured framework to mitigate cyber risks, outlining minimum security requirements and best-practice principles. Compliance will not only be a regulatory necessity but a key safeguard in protecting members from fraud, identity theft and financial loss.

With the two-pot system now well established, members have increased access to their retirement fund savings, creating new vulnerabilities. Fraudsters will inevitably target withdrawal processes, making cyber resilience a top priority for fund administrators. Strong authentication processes, real-time fraud monitoring and enhanced member education are essential to preventing cyber-related financial losses.

AI is revolutionising financial services, but also introduces new risks. A recent SA court case, Mavundla v MEC department of co-operative government & traditional affairs & others, highlighted the dangers of blindly relying on AI-generated information. While AI can streamline operations, retirement funds must remain vigilant against AI-powered cyberfraud and misinformation.

AI-based cyberthreats such as deepfake scams and phishing attacks, pose a real and growing risk to fund administrators, trustees and members. Retirement funds must ensure AI-driven tools enhance security rather than introduce vulnerabilities. 

The Gerber v PSG Wealth Financial Planning case serves as a stark reminder of the consequences of inadequate cybersecurity. The court found that PSG had a contractual responsibility to deploy adequate technological systems to prevent client financial losses due to cyberfraud.

For retirement funds, this case underscores the critical duty of boards of trustees to safeguard member assets. Cybersecurity is not just an IT issue — it is a governance and fiduciary responsibility. Boards must act with due care, diligence and good faith, ensuring that service providers have effective cybersecurity measures in place.

However, the responsibility does not rest solely with administrators. Boards of trustees must ensure that all outsourced partners — administrators, investment managers and IT service providers — comply with cybersecurity regulations. This includes adherence to the Protection of Personal Information Act (Popia), the Financial Sector Conduct Authority joint standards, and sound cyber governance principles.

Cybersecurity strategies should not exist in isolation. As part of a global financial services group we align our approach with international regulations such as the EU's Digital Operational Resilience Act. This, combined with SA standards, enhances our ability to detect, prevent and respond to cyberthreats, ensuring data integrity and financial security across our operations.

When integrating international best practices with local regulatory requirements it is essential to maintain a robust and adaptable cyber resilience framework that protects not only retirement funds but also the broader financial ecosystem.

Cyberthreats are not static — they evolve daily. Retirement funds must adopt a forward-thinking cybersecurity approach, incorporating:

• Continuous cybersecurity training for administrators and trustees.
• Regular penetration testing and security audits.
• Multifactor authentication (MFA) and encrypted transactions.
• Incident response plans for rapid cyber breach mitigation.
• Collaboration with industry leaders and regulators to stay ahead of threats.

As cyber risks grow, so too must our collective vigilance. Ensuring that retirement funds — and the hard-earned savings of South Africans — are secure in the digital age requires integrating global best practices with local regulations. 

• Galloway is trustee of the Prescient Retirement Funds and head of legal at Prescient.