The Pension Blueprint podcast video transcript 

Episode 8: Behind the scenes of privacy and security at OMERS

Jackie DeSouza: David and Sandra, thank you for joining me today on "The Pension Blueprint".

David White: Oh, thank you for having us.

Sandra Janjicek: It's great to be here.

Jackie: So let's talk a little bit about what you do at OMERS. David, tell us a little bit about your role and what the cybersecurity team does.

David: I lead the cybersecurity team. A team is made up of three different teams. We have the security operations team, an identity management team, and an advisory team. Those teams are essential to us protecting OMERS information, our data, our technology, and our processes. The security operation team is exactly what you would think it is. It's people watching cues and watching data flows and looking for attacks and following up on those types of attacks. Identity management is making sure that the right people have access to the right data. Only those that need access should have access. And we monitor that very closely. Our advisory team is a function where we work with each of our business departments to give them advice as we roll out new technology or new processes. Our goal is to make sure that as we change process and technology, it's done as securely as possible. All processes are needed for us to be better as an organization. We cannot compromise on security as we go through that. So our team is essential in making sure that we continue to have a safe and secure environment.

Jackie: Well, thank you. Very important role. And Sandra, similar to your team, you also have a very important role at OMERS. So tell us a little bit about your role and what the privacy team does.

Sandra: So I'm a senior analyst on the privacy team, and I like to think of our operations as internal and external facing. So externally, we have a series of privacy statements on our website, which we maintain. And then we also communicate with members. We respond to their inquiries on privacy. Internally, we run privacy assessments on new solutions that we could be working on, maybe a new tool that we're procuring. And this is our way of weighing the intrusion on privacy, the use of personal data with what security is there, are we using this responsibly and appropriately? We also have our own internally-facing policies and guidelines, a lot of papers to read. And with that comes training and awareness building amongst our employees. That way, everyone knows how to handle personal data safely and securely.

Jackie: So David, before joining OMERS about seven years ago, you did work at some other companies. Do pension funds face different cybersecurity threats than you've seen in other industries?

David: Yeah, that's a good question. So I have had the luxury of working at a bunch of different industries, not just at other companies, but also in the consulting space. So I've had access to oil and gas, healthcare, telco, insurance companies and the finance industry. And the good thing is, cybersecurity programs should be built based on what's important to a company, right? And so if we look at the finance industry, making sure that we keep people money safe is important. If we look at healthcare, we care about their health data and the sensitivity around that health data. And at OMERS, we care about our members' pension data and their retirement data. So regardless of the type of data we have, some people would, you know, insist that protecting transactional financial data is more important. I would disagree. I would say every good cybersecurity program should be focused on what's important to an organization. That being said, our program is the same as all those other programs. So how you protect in the telco space or the finance space or the healthcare space, we do the exact same things here. So we have an enterprise class program, and it's important to recognize that, as much as people think losing millions of dollars at the bank is important, we view that the same when we look at our members' data. We take that very important. It's important to the success of our program and important to the success of OMERS.

Jackie: Right. Okay. And that is extremely important to OMERS as well. I know in terms of our member data, I work for OMERS, we all work for OMERS. I have no access to member data. Only the people who need to access it, say, our call center agents have access to that so they can update files, et cetera. So I know it's a pretty careful space there. So Sandra, I think we all think about privacy in our daily lives, especially in this modern, constantly changing world. Can you tell us a little bit about what privacy means in the context of an organization like OMERS that's trusted with, you know, keeping track and keeping members' data safe?

Sandra: So our team's slogan is privacy is everyone's responsibility. And so we like to think that both members and us internally as employees, that we are all responsible for managing our privacy, whether they be privacy preferences or the actual controls that we put around personal data. What's unique to OMERS is that we have the pension promise. And so we have an obligation to pay this pension to process personal data. And we have no choice but to hold the highest standards of security and ethics. So when we start to do new things, specifically around, like, innovation, enhancing the member experience, we start talking about secondary use cases of personal data. So we have those things that we need to do in order to administer the pension plan. But when we start to do new things with AI or machine learning, things to automate certain processes and workflows, those are all great things. They certainly can improve efficiency, communication to our members, engagement. But we just have to be mindful about do we have their consent? Is this still within the boundaries of our business? An example that I can walk you through would be the AI summarizer. So we have the contact center, the member experience team manages that, and part of their job is taking notes on calls. And the AI call summarizer essentially summarizes the transcript and makes things a little bit easier on the agent's end. It increases our efficiency and our ability to take calls more quickly. And so from a privacy perspective, when we implemented this solution, we had to think about, okay, how is this summary going to be generated? What kind of personal data would be processed? Where is this data going to be stored in a cloud, and what types might be there? How sensitive is this information? And so, we worked with the products and technology team to implement this solution. We also completed an assessment where we kind of weigh the intrusion on privacy and then the business need and then also the security standards. And so those three elements.

Privacy is like an art. And so there's a balancing act that we need to do to make sure that we are innovating, we're moving the business forward, but we're also being cautious and mindful and reasonable about how we're using personal data.

Jackie: You had talked earlier about some of your work being internal and some being external. And I'm sure, David, yours is a little bit like that as well. At a high level, can you tell us what that looks like in reality?

David: Absolutely. So, listen, our core function is ensuring all the technology that we put in place is safe and secure. So as we enable new technology, AI being one of them, our job is to make sure that we understand the business value in enabling our business to do it as safe as possible. Now, in doing that, we also have exposure to the external side, right? And the external side can be some of our vendors, but it can also be our members. So we have programs where we monitor the dark web to make sure that we get ahead of anything bad that's happening. So if something is being discussed on the dark web, or something is being sold on the dark web, we want to be proactive and understanding it and making good decisions. As a byproduct of looking for that, that leads into our members show up there. And so over the years, we've built a service that when our members' data or members' information or things are being discussed about our members, we actually now have a process where we reach back out to our members, and we talk to them about what's out there, and we give them advice and guidance on how to be better cyber safe citizens.

Jackie: Right, so, if I heard that right, if you see something about our members out there that shouldn't be out there, then we directly contact the members to check and make sure that they're safe, that their information is safe. Is that what you're saying?

David: Absolutely. It's not our mandate necessarily to govern the internet and find out what's happening. But as a byproduct of collecting information about OMERS, our members' information will show up. And we take that very seriously, right? And even though it may not be our mandate, it's a good give back to our members that we're always watching and have their best interest at hand.

Jackie: Yeah, that's great. That's good to know we've got people like you, 'cause I'm a member too as are both of you. So it's good to know that we've got that kind of support in our corner. Sandra, can you explain the concepts of consent and choice and how those are foundational to privacy?

Sandra: Yes, so, it's a little bit different here at OMERS, because we have the pension promise. And so, we need to process personal data in order to pay a pension to our members. And so when it comes to consent and choice, we need to think about secondary use cases. So, we have the things that we need to do in order to facilitate and to run pension administration, but then when we try to innovate and do new things, these might create these new scenarios that are maybe not needed for pension administration, but they certainly can improve the member experience, our own operational efficiency. So we need to either ask members. Sometimes, if, you know, we're running a survey, it's that consent notice that's at the very start, or there are lots of things in our privacy statement that outlines what we do at OMERS, and that includes things like artificial intelligence and machine learning, lots of things that we do here, so.

Jackie: It's a field that's constantly moving forward, right? And your two teams always have to keep up with what's happening out there, which is not easy.

Sandra: And I think the way I like to put it is that privacy is more like the art. We are looking at ethical use, responsible use of personal data, and then David's team is the science where they're implementing the security and controls. And so there's a cross-functional partnership there.

I think the reality is, when we talk about consent, in order to do what OMERS does, we need to use a bunch of different data in different ways. We have to, that's just the way we operate. The question is, are we doing it safe and secure? Are we using the data responsibly? Are we putting the right controls in place and the right monitoring to know when we aren't using it responsibly? And so, unfortunately, there's always going to be scenarios where you don't have the opportunity to consent. You have to participate because that's the program that you want to be part of. And our responsibility is to make sure that we put the right program in place cross-functionally, across our teams, to make sure that we're doing the right things, to make sure that we have the right programs. And when we're questioned on it, we could speak intelligently about the decisions we make and that we're being responsible.

Jackie: Right, I want to go back to what you said about sometimes we have to consent, right? I mean, all of us have bought a cell phone, all of us have bought all sorts of different things, and you get this huge sort of consent statement that comes up. And we know that nobody ever reads those things because they're in tiny, small print, and they're multiple pages. So, you know, David, what would you say about that? I mean, are we all putting ourselves at risk by not, you know, carefully reviewing those statements before we sign off?

David: Yeah, that's a good question. So I am the person that reads all of those. I am the one that says—

Jackie: Of course, you are.

David: When I'm going to buy something, I need 20 minutes, and I have to take my glasses out and my red pen. And I think I shared a story with both of you where I was on vacation about a month ago, Sandra, you and I talked about this, and we checked into the resort. And the resort says, "Here's four pages, you just have to initial it and you're good to go." And I said, "Hold on, I can't. I need to read it." So I took my glasses out, and I realized it was in Spanish. I said, "Hold on, I need this in English." And so, I started causing a scene a little bit, not in a bad way, just I wasn't the easy path to signature. And as I shared with both you, I got a tap on my shoulder from my daughter who said, "Hey, this process is stopping me from getting to the beach. So do you just want to sign?" And so I didn't have a choice of consent. I had to do it to get my daughter to the beach. We had to stay there. If I didn't sign the piece of paper, I don't know if I could stay in a hotel. So you're at the mercy of the process. What I would say in that situation is I don't know if I had the comfort level that whatever I was consenting to, that the company was doing the right thing. And that's where I go back to, even though sometimes we have to use our members' data in a certain way, hopefully they have the comfort level that we're using it responsibly. But there are going to be times in the world where you do have to sign up. I had to do it to get my daughter to the beach. That was more important than me reading legal documents for 30 minutes. But I think we find ourselves in that position all the time.

Jackie: But is that convenience sort of costing us in terms of privacy, Sandra?

Sandra: A little bit. And I think we should all feel empowered to do our own due diligence, even if we're not reading the statement, just thinking critically about what are you actually inputting? Who is this company? What do they do? You know, if they're asking for something that's really sensitive, kind of question, like, "Why do they need this?" I think that initial kind of assessment is maybe a good start, especially if you're in a rush.
I realize that it's so easy to just tick the box and move along, but it's the critical thinking that I think is the way that we can do that without reading the statement word for word.

Jackie: Right. No, thank you. I think that's really helpful for all of us. So, let's turn the page a little bit and start talking about some information that could be helpful for our members. Sandra, if you could give one piece of advice that would significantly improve someone's digital privacy or their online presence, what would that be?

Sandra: I think the tip for members that I can share is just turn on that critical thinking element about where you're sharing your data. And if you already have, you have the right to manage your privacy preferences. I know on OMERS, in members of myOMERS accounts, you can manage your communication preferences, and most companies do offer those services. So if you feel like you want to turn something off or if you want to turn something on, you should feel empowered to do that. You have the right to access your data. And so be curious about what options are out there, and think about what you're sharing.

Jackie: That's a really good tip, because you get that all the time when you open a new website, and it says, manage your preferences, and you know, I'm that person who says, "I don't have time for this. I just say, 'Accept.'" But then of course, you know, it has consequences too. Not that they're taking my personal information, but that website or that company is then serving me up information, you know, through all the different channels, which is really interesting. So David, same question for you. What are some ways that we can keep ourselves safe online?

David: Yeah, absolutely. And just to build on Sandra's point, don't be afraid to ask questions, right? Just because it's not a subject you're comfortable with, not because you're challenging it, but just don't be afraid to ask questions. And I think that applies to a lot of things. Don't be afraid to ask questions if you're not exactly sure what it is.
On the cybersecurity side, I just want to call it the difference at OMERS, we've been talking about collecting and processing member data and how we're being responsible, but we invest heavily in people, process, and technology to make sure we're doing the right things. I think both of you have probably seen stats that have come out. We block almost 10 million emails a quarter from actually getting to people's inboxes. Those are malicious emails looking to do bad for some purpose.

The reality is, at home, you don't have that, right? You don't have my team that's heavily invested day in and day out of making sure that everything is secure and healthy. And so some of the tips that we always recommend is, again, ask questions, right? So if you get an email and a question, it can be to yourself by the way, right? So if you get an email that doesn't make sense or it sounds too good to be true, or it's for somebody that you don't know about, you should be asking, "Why am I getting this, and why do I care?" There's a lot of hooks and lures about how to incentivize people to participate in those emails. And what I would say is, don't let curiosity get the best of you. If you have a gut feeling that it's not right, it probably isn't. And just question the process. That's the first thing.
But some good hygiene, of course, it sounds a little bit repetitive with what everybody's probably heard about over 10 years, is keep your systems up to date, patch your systems. Hackers, malicious actors, they look for unpatched systems. That's how they break in. So, that's our first advice.

My second one is manage your digital identity. Be responsible with your digital identity, right? And so we talk about don't use the same password at every single site and location. I can tell you that we monitor this internally at OMERS. We make sure that if third-party sites, and it could be anything from a hotel that our employees stay at, to vendors that we work with that process data for us, if they are breached, your data will be out there and your passwords are out there. Now we have a process to collect that and get it back and do the right thing. But at home, you don't. And so if one password is out there, if you're using the same password for each and every account, that could be very problematic. So I would say just good practices are patch your system. Do your best to use a password manager and not use the same password at every single location, that you are at the mercy of vendors and what their security posture is. I can't guarantee they have the same due diligence that we have here at OMERS.

And the third thing I would say, and this one is open to interpretation, I would say find a friend, right? And by finding a friend, I mean, everybody in their life has somebody that it's like, I need to use my cell phone. I got a cell phone person. I call them for advice or, you know, I need to go to the dentist, my tooth hurts. Or you have somebody that you call, might not be a dentist, but it's just somebody that's a little bit more passionate about that industry than you are. I would say if you're not passionate about cybersecurity and technology, have a friend, right? And have a friend that you call for help when things are like, "Ah, I got this weird email and things don't look right," have somebody that you can call and just run things by. Don't try and handle things yourself if you're not comfortable with it. So I know that one's a little bit weird, but everybody has to have a friend that you call when things don't look right.

Jackie: Yeah, that's really good advice from both of you because you know, I know people, I'm sure you know people as well, who have fallen victim to some of these scams, right? Phishing scams where someone is pretending to be your bank and telling you to click to this website and input account numbers and things like that. And, you know, all banks tell you, "We would never ask you to do that." So like you said, it's be curious, do your due diligence, have a friend, and make sure that you're not putting yourself at risk. I mean, we are a pension plan.
We'll deal with a lot of members who may not have been around when technology started. Some of them are getting their pensions for 30 or 40 years. They may be in their 80s and 90s. So, when you go out and you talk to members, because I know you do, you do presentations for some of our stakeholder groups, what are some of the things that you're hearing from them and what is some of the advice that you're giving them?

Sandra: Yeah, no, it's a good question. And so one of the things we always have to understand is what motivates an attacker, whether it's attacking OMERS, or whether it's attacking them in their personal lives. So the reality is, as much as we have programs inside of OMERS to make sure everything is safe and secure, what we don't monitor is our members' email addresses, their own personal email addresses and inboxes that they would use to connect to us.

Some of the discussions we have is that, one, with an aging demographic, there's a couple of things at play. One, they may not be technology savvy. Doesn't mean that they aren't, but they may not be, they didn't grow up with it. To our younger generation, that's very common. It's the way they operate. It's the way they order food today. It's the way they do everything today. To our members, it may not be. And so it might be an area they're not comfortable with.

David: Some of the things we also talk about is some of the attack motives is around cognitive decline, right? And so it's something that we talk about that we have to realize that, as we get older, cognitive decline is real. It hits us all differently. It hits us at different stages in our life, but it's real. And so, attackers are very good at putting pressure on our members to give information so they can get access to their account. They use techniques that tap into cognitive decline.

Now, for those that are not, they're able to detect it and they get away with it. For those that are starting to show cognitive decline with age, and that's not a bad thing.
It's normal.

As we get older, we physically change, we mentally change, my eyes are changing, things change, and we have to recognize it. Attackers are very, very savvy at exploiting those cognitive decline areas. They will put pressure on you to make rush decisions. They will make sure that you don't have time to go ask for help, and they will usually ask you something that you're not comfortable with.

We talked about consent and sometimes you just have to do it. Sometimes, they feel they're in the same position. So again, I think recognizing it is important. Recognizing where we are is important. And we talk about some of the tips about have a friend, don't be afraid to ask, do all these things. I think the same thing applies, that if you're being asked to make a rush decision, any sense of urgency, if you're being asked to change something, don't be afraid to question it. Don't be afraid to phone a friend and say something's not right and ask for help. And if you're really stuck, call OMERS. If it's about OMERS, call us, call the contact center. They will talk to you, they'll walk you through it. If there's a problem, they will connect you with the right department so that we can help you out.
Just recognizing where you are in your aging journey is important. And making the right steps to make sure that you have a plan B and plan C when you find yourself in a sticky situation.

Jackie: Yeah, that's great advice for our members. I mean, we all experience it. I have aging parents and it's the same thing. Sometimes, they just want to talk to somebody on the phone. And, you know, my question is always, "What does that person want?" "What are they asking you? Who is this person that you're talking to?" So sometimes, family members and friends, like you said, can play a big role here in helping all of us and helping our members in particular.

But what should someone do if that actually happens and they do fall victim to a scam or, you know, a hacker or something? Sandra, do you have any advice as to what people should do?

Sandra: Staying in my lane as privacy, you know, definitely contact the privacy office if you are able to figure out where the source of that incident has happened. The privacy office is ready to investigate. They handle incidents and breaches. But this is really a cyber question.

Jackie: Correct. So, if we work for OMERS and we run into this issue, we are calling you, Sandra, and, of course, we are also contacting you, David. So for our members who are out there and this happens to them, do you have any advice as to what steps they should take to address it?

David: I do. It's not a perfect science, because every scenario is going to be a little bit different, but people should be aware of their options. So naturally, if something happens at OMERS, call us. And we have teams responsible to do it, but so do other companies. So if you feel that your Gmail email has been compromised or somebody has access to it, there is information on Google on how you report it and how you work with them to clean it up.
But anytime you find yourself in, I want to say, a situation, it doesn't mean that things don't look good. Why am I getting spam, or why am I just getting suspicious things? But you think you've participated and you're in the middle of a problem, you always reach out to law enforcement. They're there to help. There is the anti Canadian Fraud Association, they will help at least document it and say if it's a known issue, and if it's not known, they'll at least document it to help others and help prevent it from happening.
But if you see things that are suspicious with OMERS, contact OMERS. If you see things that you're getting weird messaging from your bank, call your bank. Don't be afraid to call people. My one advice is, if you're in a situation, break out of that channel. And that channel is, if you're in a text situation, break out of the text. If you're in an email situation, break out of the email and pick up the phone. Find a different avenue to talk to somebody that's not part of that problem.

So if you're in a problem, find a way to communicate with that company, organization, law enforcement, outside of whatever channel the problem exists in. So if it's email, get out to email, pick up the phone, call somebody, drive to the bank, go talk to somebody, the information is always available.

If you're in an email thread that OMERS says, "We have your information," and they claim to be the privacy information, break out of that thread, go to our website, look up their contact information and go to them directly. That would be my advice, that if you find yourself in a problem, report it to law enforcement, report it to the company, and then sort of find a way to communicate outside of that channel.

Jackie: Yeah, that's really, really good advice. And for our members, there are various ways for them to communicate with us. Of course, they can call our call center, they can send us a secure communication, which is an email through a secure channel. We have a live chat, lots of different ways for us to reach us. So, I really like that advice. Break out of the channel, do something else, so that you know you're dealing with the company that you want to be dealing with.

Well, there's lots of food for thought there today. Thank you so much for being on the program.

David: Awesome.

Sandra: Thanks for having us.

David: Thanks for having us.