Cybersecurity Is Now a Fiduciary Responsibility

For decades, cybersecurity was framed as a technical discipline. Firewalls, patching, access controls, incident response. Important, but largely operational. That perspective no longer reflects reality, especially for financial institutions with long-term obligations to their clients and beneficiaries. Today, cybersecurity is inseparable from fiduciary responsibility.

Fiduciary duty is fundamentally about trust in safeguarding assets, protecting sensitive information, acting prudently on behalf of others, and managing risk over long horizons. In financial services, that duty extends beyond balance sheets. It includes the integrity, availability, and confidentiality of systems that customers depend on, often for decades.

When identity systems fail, when data integrity is compromised, or when operational continuity is disrupted, the impact isn’t abstract, it’s personal. It affects livelihoods, retirement security, and confidence in the institution itself.

That makes cybersecurity a fiduciary issue, not just an IT one.

Cyber Risk Is Financial Risk... Just on a Different Timeline

Traditional risk models often separate cyber risk from financial or operational risk. That distinction is becoming increasingly artificial. Let's look at the downstream effects of a serious cyber incident...

• delayed or incorrect benefit payments

• exposure of personally identifiable information

• erosion of trust among beneficiaries

• regulatory scrutiny and legal exposure

• long-term reputational damage

These are not short-lived technical events. They are financial and governance consequences that can persist long after systems are restored. Fiduciaries are expected to anticipate and mitigate foreseeable risks. In today’s environment, cyber risk is unquestionably foreseeable.

Why I Believe Long-Term Institutions Face a Different Cyber Reality

Unlike many commercial enterprises, pension and retirement organizations operate on multi-decade timelines. Systems, identities, records, and relationships persist for generations. That creates unique challenges, such as identity lifecycles that span decades, legacy systems that coexist with modern platforms, reliance on third-party administrators and vendors, and regulatory expectations that evolve over time.

Cybersecurity strategies built for short-term agility don’t always translate well to long-term stewardship. What’s required instead is resilience, not just protection. Resilience asks different questions, such as:

• Can critical services continue during disruption?

• Are failure scenarios understood beyond IT systems?

• Is accountability for cyber risk clear at the executive and board level?

• Do vendors align with the institution’s fiduciary obligations, not just technical SLAs?

I've Always Felt Governance Matters More Than Tools

Many organizations invest heavily in security technologies while underinvesting in governance and ownership. Fiduciary-aligned cybersecurity requires clear executive accountability for cyber risk, board-level visibility into material cyber exposures, integration of cyber considerations into enterprise risk management, and vendor oversight that extends beyond questionnaires and certifications.

The most effective programs are not defined by the tools they deploy, but by the clarity of responsibility and the maturity of decision-making around risk.

I believe the question is no longer whether cybersecurity belongs on the fiduciary agenda. The real question is whether institutions are prepared to treat cyber risk with the same rigor, foresight, and prudence as financial risk. Those that do will be better positioned to protect not just systems, but the people and promises those systems exist to serve. Where those that don’t may find that the cost of treating cybersecurity as “just IT” is far higher than expected, and paid in ways that matter most to those they are entrusted to protect.

Remember... Cybersecurity isn’t about fear, it’s about responsibility. And in long-term financial institutions, responsibility is the core of fiduciary duty.