Cybersecurity threats are no longer confined to IT departments or large corporations. They are increasingly a governance and fiduciary issue, especially for public employee retirement systems that rely on a wide network of employers, vendors, and service providers.

In the latest episode of The TEXPERS Deep Dive, we take a closer look at the 2025 Business Impact Report from the Identity Theft Resource Center (ITRC), released in December 2025. While the report focuses on small businesses, its findings carry direct implications for public pension trustees and administrators across Texas.

What the Report Examined

The ITRC, a national nonprofit organization focused on identity crime prevention and victim assistance, surveyed more than 600 small business leaders nationwide. The goal was to understand how cyber incidents are affecting organizations financially, operationally, and strategically, particularly as artificial intelligence reshapes the threat landscape.

The results paint a sobering picture:

• More than 80 percent of surveyed businesses experienced a security or data breach in the past year.
• Over 40 percent of incidents involved AI-powered attacks, including advanced phishing and impersonation schemes.
• More than half of affected businesses reported financial losses between $250,000 and $1 million.
• Nearly 40 percent said they raised prices to recover from cyber losses, effectively passing costs on to customers.

Why It is Meaningful to Public Pension Systems

Public retirement systems do not operate in isolation. They depend on payroll processors, technology vendors, custodians, investment service providers, consultants, and municipal employers. Many of these entities fall into the small-business category examined in the report.

When those organizations experience cyber incidents, the impact can ripple outward. Potential consequences include:

• Exposure of sensitive member or employee data
• Service disruptions affecting contributions or benefit administration
• Increased vendor costs driven by cyber losses or insurance challenges
• Reputational risk for pension systems connected to breached partners

For trustees, these risks intersect directly with fiduciary responsibilities related to operational oversight, risk management, and prudent governance.

A Shift in the Threat Landscape

One of the most significant takeaways from the report is the rapid evolution of cyber threats. The emergence of AI-powered attacks has made scams more convincing, faster to deploy, and harder to detect. At the same time, the report found that adoption of basic security controls, such as multi-factor authentication, declined among surveyed businesses.

This disconnect between rising risk and declining preparedness highlights why trustees and administrators cannot assume vendors are “handling cybersecurity” on their own.

Practical Takeaways for Trustees and Administrators

The report reinforces several actions that pension leaders may want to consider:

• Elevate cyber risk to the board level. Treat cybersecurity as an enterprise risk, not just a technical issue.
• Strengthen vendor oversight. Ask vendors about their cybersecurity practices, training programs, and breach response plans.
• Review contracts and policies. Ensure agreements address breach notification timelines, liability, and insurance coverage.
• Incorporate cyber questions into procurement. RFPs and renewals are opportunities to reinforce expectations.
• Plan for incident response. Understand how your system would respond if a key vendor or partner were compromised.

Why This Matters Now

As cybercrime becomes more sophisticated and more costly, the financial and operational stability of pension systems increasingly depends on the resilience of their broader ecosystem. Trustees and administrators play a crucial role in asking the right questions and setting clear expectations.

The 2025 Business Impact Report serves as a timely reminder that cyber risk is no longer abstract. It is measurable, it is expensive, and it is now firmly within the scope of fiduciary awareness.

To hear a deeper discussion of the findings and what they mean for Texas public pension systems, listen to the latest episode of The TEXPERS Deep Dive.

About the Author: Allen Jones serves as TEXPERS' Director of Communications and Event Marketing. He brings more than two decades of experience in journalism and publication management and now guides the Association's strategic communications. [email protected]