July 18, 2018

By Suzanne M. Dugan

Spend some time with Brian Bartow and you’ll soon learn that worrying about cybersecurity is what keeps him up at night. If you’re having trouble getting your arms around cybersecurity and its implications for your pension system, Brian’s expertise and cool demeanor in this area are just what you need to help you focus on this critical risk. As the General Counsel and Chief Compliance Officer at CalSTRS, Brian is responsible for enterprise information management and information security. He has even taught a law school class on the topic. Brian sat down for an interview to share his knowledge and insights about the fiduciary obligations arising out of the risks associated with cybersecurity.

Suzanne Dugan, Cohen Milstein: How serious is the cybersecurity threat to pension systems?

Brian Bartow, CalSTRS: Except for funding, it is the number one risk we face. When you assess risk, the analysis is typically two dimensional—that is, we look at the severity of the risk and the likelihood of its occurrence. With cybersecurity risk, there is an added third dimension. In addition to severity and likelihood, we assess the velocity of the risk. If a breach happens, it’s going to happen immediately, whether the breach affects one record or brings down the whole system. This is not theoretical.

What got my attention was the severity and reality of the risk. The whole enterprise is at risk. I started talking about this issue about five years ago and although the word does seem to be getting out, I’m still amazed at the lack of engagement on this issue by those who still consider cyber and information security as to be IT issues. We should be concerned at the lack of comprehension of the inevitability and the potential dimensions of this risk.

The full article can be accessed here.