(and the audiences that want them)
Pension Plans should get a penetration test annually
There are 5 audiences for your pentest, and they have very different reporting needs
Have your Pentester tune their reports for your audiences
Penetration Testing (pentesting) is considered one of the best investments in cybersecurity for your pension fund. Hiring an expert “ethical hacker” to identify vulnerabilities and test whether they can be exploited helps you understand what needs to be fixed first. Employers, regulators, insurance companies and other stakeholders also know the benefits of regular penetration testing, which is why so many require annual penetration testing.
Penetration testing, therefore, is much more than a technical test. It is a way for your Plan to prioritize gap closure and cybersecurity investments, and it provides assurance to others that you have an effective security program at a fundamental level.
Get reporting wrong and you will raise concerns. Get reporting right and your audience will move on with comfort and confidence.
Think of these reports as various forms of Executive Summary or Attestations from your independent penetration tester. The detailed report (see 5) should be kept private. But these audiences have a legitimate need to understand a level of detail that builds their confidence in your Plan and your security program.
Keep in mind that your independent pentester is not altering their findings in any of these. If you are in dismal shape, then the report will need to say that. But, with fine tuning (and remediation and retesting) you will find you can get much more leverage from your pentest.
This post highlights the 5 audiences at Pension Plans for your penetration test, and the tone and level of detail they need to see.
1. Board of Directors
Focus on Risk
Board of Directors care about risk. Cybersecurity is a big concern, but most board members only understand them tangentially. They know a compromise will cost money and that pension plans can be seriously impacted from a serious attack. Don’t delve into attack vectors, tools, and methods for this audience. Focus on metrics, risk mitigation, and monetary impacts.
Visual reporting elements such as graphs and charts play a pivotal role in efficiently communicating key results to board members. In addition, this penetration test report should communicate alignment with the plan's current situation. That reinforces the importance of your overall security program.
Principles:
First, work to understand the near-term goals of the plan. Are you implementing a new pension administration system? Are there new privacy laws in the state? Whatever it is, you can anchor the pentest to that.
Work with your pentester to ensure they write this summary in a way that supports the Plan's current environment and doesn’t conflict in any way.
You should write a cover letter to the pentest report that aligns with the Plan's environment, and describes how this protects those issues. You may also reference industry security trends that may matter to their risk discussions.
2. Employer Reports
Focus on being compelling
Many Pension Plans are getting questions about their cybersecurity from employers. It makes sense. They also have a fiduciary responsibility to ensure partners protect their employees. You need to provide them with an attestation that gives them the right level of assurance.
But, with some refined language, you can be much more compelling. Align with their concerns and tell them the measures you are taking to protect their employees. We’ve even worked with marketing teams to get the messaging on point.
Principles:
Work with your pentester to write an employer-facing report that is factual but compelling.
Be ready to share this report with your employers. Speed equals confidence, and sharing this report willingly and quickly frequently handles their concerns completely.
Talk about how serious your pension plan takes cybersecurity. Pentesting is just part of your overall cybersecurity.
3. Insurance Providers
Focus on Safety
Cyber insurance premiums continue to rise and the industry’s loss ratio (paid claims to premiums earned) shows no sign of slowing down. With the onslaught of ransomware, insurers offering cyber coverage were initially caught off guard, and they significantly underestimated the cyber risk landscape and expense of cyber-attacks.
That was last year. Insurance has snapped to the other end of the pendulum. Insurance for cybersecurity is not only expensive, it can also be hard to meet some of their requirements. It’s almost guaranteed that they will require annual penetration testing. A clear and concise report can provide your insurer with the comfort and reassurance they’re looking for.
Principles:
Make sure you understand clearly what your insurance company requires for pentesting.
The report should be short and factual. If you follow a best practice framework like NIST (and you should), mention it and comment that a pentest is also best practice.
Work with your pentester to write a report on their letterhead and have them offer to speak to the insurance company in the letter. This communicates confidence and transparency.
4. Compliance
Focus on the compliance facts
Privacy laws are a challenge for pension plans. State rules are complicated and you may need to do a penetration test for compliance purposes. Stick to the specifics of the privacy rules. Take a look at our resource page, which has links to privacy rules for every state. Keep in mind that they care about privacy for individuals only..
For example, for privacy requirements, don’t comment on other areas, like investments, even if they were tested. There is no need to raise alarms with testing that have nothing to do with the compliance requirements. Talk about the compliance requirement specifically, the test methods, and whether your pension plan is currently in compliance. Any other details are superfluous and risky.
Principles:
First, make sure your pentester understands the compliance requirements. These requirements can be esoteric and complicated.
Compliance pentest reports should stick to the requirements only. Nothing extra.
5. For Your Internal Team
Focus on detailed findings and prioritized remediation
Of course, the primary purpose of a pentest is to identify gaps and prioritize remediation. This report provides details on every vulnerability, the attack methods used to exploit it, evidence of success and prioritized remediation recommendations. It is the primary purpose of penetration testing, so the more comprehensive the report can be, the better.
This is the report your IT team, whether in-house or outsourced, will work from to shore up your cybersecurity. Of course, given the details, you would never share it with anyone other than the few people on your team that understand it and will work on remediation. Keep it safe. Keep it private.
Principles:
All findings should be risk-ranked
Every finding should include: the gap in plain language, where it was found, severity ranking, whether it was exploited, evidence of being exploited, description and business impact, how to remediate it.
Closing Thoughts
Penetration testing will continue to prove its worth as an invaluable security tool for pension plans as the threat landscape becomes even more sophisticated. If you get reporting right and begin every report by bearing your audience in mind, you will drive even more value from your pentest investment.