Public pension funds hold some of the most sensitive information in local government. This includes Social Security numbers, banking details, beneficiary records, and extensive financial histories for active and retired public servants. As geopolitical tensions rise, cyber risks evolve, and regulations shift, organizations across every sector are reassessing the extent of control they truly have over their technology and data environments.

A recent report from McKinsey, titled "Boards Are Calling for More Digital Autonomy: How CIOs Can Deliver," explains why corporate boards are elevating digital autonomy as a strategic concern. Although the report focuses on private enterprise, its findings are highly relevant to public employee retirement systems. Trustees and administrators are responsible for protecting member data and ensuring uninterrupted operations; the risks described in the report directly relate to these duties.

Below is what the analysis means for TEXPERS System Members and how trustees can apply these insights in board discussions.

A Shifting Technology Risk Landscape

The McKinsey report outlines five categories of risk associated with heavy dependence on global cloud providers and technology vendors. These include:

• Regulatory complexity, driven by evolving laws about where data can reside and who can access it.

• Technical disruption caused by geopolitical or supply chain conditions that may affect service availability.

• Questions about intellectual property and data ownership, especially when different jurisdictions assert rights over data stored within their borders.

• Economic exposure resulting from policy changes, export controls, or new fees.

• Reputational risk connected to stakeholder perceptions of how well an organization manages digital resilience.

For pension systems, these issues are directly tied to fiduciary responsibility. Boards must consider whether their systems can continue operating if a vendor experiences disruption, whether contracts limit cross-border data exposure, and whether the fund has complete control over its backups, encryption keys, and data retrieval rights.

Trustees do not need to be technology experts, but they must be prepared to ask informed questions.

What Pension Funds Can Learn From Corporate Boards

McKinsey presents several strategies that organizations are using to improve digital autonomy and resilience. These strategies can help guide decision-making within public pension systems.

1. Strengthening Control Within Existing Vendor Relationships

Many organizations are tightening service-level agreements, requiring local control of encryption keys, and defining strict access rules.

For pension systems, this means reviewing whether vendors or subcontractors have any unexpected access to member data. It also means confirming that sensitive data is encrypted using keys controlled by the pension system, not by the vendor. Backup and recovery processes should remain operational even if a vendor's larger network faces disruption.

2. Using Hybrid or Sovereign Cloud Models When Appropriate

Some organizations are opting to run stable and mission-critical workloads in local or private environments to reduce their dependency on global providers.

Public pension systems can evaluate which workloads require public cloud scalability and which do not. Critical functions such as benefit payments, actuarial information, and document archives should have redundancy outside a single commercial provider.

3. Prioritizing Vendor Diversification and Portability

The report emphasizes the importance of designing systems that can seamlessly transition between providers as needed. This concept of workload portability helps reduce exposure to regulatory changes and service interruptions.

Trustees can inquire whether the pension system can transition to a different vendor if necessary, whether all data can be retrieved in usable formats, and whether contracts permit data export without penalties.

4. Understanding the Role of Open Source Technologies

McKinsey notes that many organizations are adopting open-source software to reduce reliance on proprietary platforms and to improve transparency.

While public pension systems may not be developing their own software, it is essential to understand whether vendors utilize open or closed systems. This impacts auditability, data governance, and the vendor's ability to demonstrate compliance effectively.

Trustees should consider asking vendors to explain how their systems are built, not only what they do.

Questions Trustees Can Take to Their Boards

Below are governance questions informed by the McKinsey report. These can help trustees strengthen oversight.

Vendor Governance

• Do our technology vendors rely heavily on global platforms that may introduce jurisdictional or regulatory risk?

• Are there clear contractual limits on third-party access to member data?

Operational Continuity

• If a major vendor experiences disruption, can we still process payments and maintain essential services?

• Do we have documented fallback environments or redundant systems?

Data Control

• Who controls our encryption keys?

• Can we independently retrieve all member records?

Procurement Oversight

• Are we evaluating technology proposals with long-term autonomy in mind, not only cost?

• Do our procurement processes address data portability and vendor diversification?

AI and Future Readiness

• If vendors incorporate artificial intelligence tools, do we understand how data is stored, governed, and audited within those systems?

Conclusion: Digital Autonomy Matters to Public Pension Governance

The McKinsey report frames digital autonomy as intelligent interdependence. This means maintaining control where it is most important, while still benefiting from innovation offered by external providers.

For public pension systems, the implications are clear. Trustees must safeguard member data, ensure continuous benefit payments, minimize technology concentration risk, and support secure adoption of modern tools. This requires thoughtful oversight, well-structured vendor relationships, and procurement practices that anticipate future conditions.

Trustees do not need to implement technology solutions themselves, but they do need to understand the strategic questions well enough to set clear expectations and evaluate associated risks. Strong governance in this area helps protect the long-term retirement security of Texas public servants.

About the Author: Allen Jones is the director of communications and event marketing for TEXPERS. He joined the Association in 2017. Before TEXPERS, he worked in the news media industry, producing content for newspapers, magazines, and online publications and leading newsrooms as an editor and publications manager. [email protected]