Board hears cybersecurity briefing emphasizing member‑service risks and trustee responsibilities

Trustees received a cybersecurity briefing from Linea Secure designed to frame cyber risk as a governance issue that requires board oversight, not just IT operations.

Peter Zuer, president of Linea Secure, and Jake Long, senior consultant, reviewed common attack vectors—phishing and social engineering, ransomware, business email compromise and insider risks—and stressed how pension funds’ sensitive member data and large financial transfers make them attractive targets. They noted recent cases (anecdotal) in which threat actors compromised member mailboxes and attempted to redirect benefit payments and reiterated that attackers now routinely use AI to craft more convincing impersonation attempts.

Linea recommended trustees and staff adopt a layered approach: identify and catalog sensitive data and critical systems; protect with multi‑factor authentication, approved devices and safe networks; detect anomalous activity; maintain and exercise an incident response plan; and recover with clear communications to members and stakeholders. Presenters emphasized role‑based and frontline training (member services, call center staff) and suggested targeted simulations and data‑loss prevention tools for staff handling PII.

Trustees asked whether San Jose’s operating environment differs from other plans; presenters said ORS faces familiar risks (hybrid work, third‑party hosting of PensionGold and member portals) and recommended tailored governance and third‑party due diligence. Trustees also asked about cyber insurance trends; presenters said premiums have stabilized but underwriting rewards demonstrable security controls.

Staff and trustees discussed operational coordination with the City’s central IT and the city chief information security officer; presenters advised clarifying roles and having a documented incident playbook that covers emergency meeting protocols and interaction with city IT for large incidents.

Linea offered follow‑up assessments and targeted trustee training and recommended the board consider tabletop incident exercises and heightened third‑party due diligence for custodians and system vendors.