Cyber attack warning to retirement funds in South Africa

As retirement funds in South Africa become increasingly reliant on technology, the threat of cybercrime grows. 

Retirement funds, in particular, are at risk because they use outdated software and do not have a clear plan for managing a cyberattack.

ICTS Academy head Toni Cantin said cybercrime is a growing problem for retirement funds in South Africa.

“As technology becomes more important for managing member information, investments, and communication, retirement funds rely more on digital systems,” she said. 

“But with this reliance comes a big risk — cybercriminals see these funds as valuable targets.” 

“From stealing personal information to holding systems hostage with ransomware, the risks are serious and can have a huge impact on both members and trustees.”

Cantin explained that retirement funds are appealing to cybercriminals for two main reasons.

Firstly, retirement funds store detailed personal and financial information about members, such as ID numbers, addresses, and account details. 

Cantin said cybercriminals can use this information for identity theft or sell it to others.

Retirement funds also deal with large sums of money, meaning cybercriminals may try to manipulate systems or trick employees into giving them access to funds.

“Because retirement funds rely on many service providers — like administrators, investment managers, and IT companies — there are more entry points for cybercriminals to exploit,” she said.

Cantin also outlined the various ways criminals can attempt to gain access to retirement funds.

The first is phishing, which happens when a cybercriminal sends fake emails that look real, tricking someone into sharing essential information like passwords. 

For example, a trustee might receive an email that appears to be from their administrator but is actually from a scammer.

A second route is ransomware, a type of malware that locks a fund’s systems or data until a ransom is paid. 

“If a retirement fund is hit with ransomware, members might not receive payments on time, and the fund’s reputation could be damaged,” she said.

The third way, a data breach, occurs when cybercriminals break into a system to steal sensitive information. 

For retirement funds, this could mean exposing member data, leading to legal issues and a loss of trust.

While these cyberattacks may seem unlikely, cybercriminals have gained access to retirement funds in South Africa as recently as last year.

In February 2024, MyBroadband reported that the Government Employees Pension Fund (GEPF) experienced a security breach when an unauthorised party attempted to access its systems. 

The organisation shut down its systems to isolate the breach, saying no data had been compromised and that pensioner payments were unaffected. 

However, an anonymous source told MyBroadband that no payments had been made since 12 February 2024.

“They are not even doing applications manually. No payments have happened since 12 February,” they said.

“The self-service site and call centre are still down this morning (Wednesday, 21 February 2024).”

Cantin explained that keeping retirement funds safe does not only come down to the fund administrator having strong security.

This is because many funds in South Africa work with outside companies for administration, IT, and investment services. 

Therefore, if one of these companies has weak cybersecurity, it could open the door for attackers to access the fund’s data even if the 

Worryingly, Cantin said some retirement funds in South Africa are not as prepared as they should be. 

This can be because some use outdated software, which makes it easier for cybercriminals to get in.

Other issues can include a lack of awareness, whereby trustees and staff might not know how to spot cyber threats.

In addition, many funds do not have a clear plan for how to manage a cyberattack.

To stay safe, Cantin outlined a few key steps funds need to take —

• Understand the risks — The first step is identifying where the fund is vulnerable. This means looking at how systems are set up, how data is shared, and how secure service providers are.
• Train trustees and staff — Education is one of the best defences. Everyone involved in managing the fund should learn how to spot phishing scams, use strong passwords, and handle sensitive information safely.
• Use better security controls — Multi-factor authentication (MFA) adds an extra step, like a text code, when logging in, making it harder for attackers to gain access.
• Restrict access — Only people who need access to certain data or systems should have it.
• Update software regularly — Outdated systems and software are easy targets for cybercriminals. Funds should make sure everything is kept up to date with the latest security protections.
• Choose secure service providers — When working with outside companies, funds should check that they follow strong cybersecurity practices. Contracts should include clear security requirements.
• Prepare for the worst — Having a plan in place is critical. A good plan includes steps to stop an attack, fix the damage, and communicate with members and regulators.
• Encrypt and back up data — Encryption makes data unreadable to attackers, even if they manage to steal it. Regular backups ensure that data can be restored quickly after an attack.

Cantin explained that, by law, funds are responsible for keeping their members’ data secure.

South Africa’s Protection of Personal Information Act (POPIA) requires funds to protect member information, and if they fail, the funds could face fines, lawsuits, or reputational damage.

However, she said cybersecurity is not just an IT issue — it is something trustees, consultants, and service providers must all take seriously. 

“A cyberattack can harm members, damage a fund’s reputation, and lead to legal consequences,” she warned. 

“That’s why it’s so important to stay informed, be prepared, and take action to protect your fund.”

This article was first published by Daily Investor and is reproduced with permission.