One of the most remarkable findings of Callan’s 2019 Defined Contribution Trends report is that cybersecurity is not a top priority for many plan sponsors.
Plan fees, participant communication, financial wellness, fund/manager due diligence, and six other items were given higher priority than addressing cyberthreats.
One can only hope plan sponsors have already implemented data protection systems and processes at an organizational level and have audited their service providers—recordkeepers, trustees, advice providers, and so on—to ensure adequate measures have been taken to secure participants’ personal data.
Cyberattacks on plan sponsors are increasing
The reality is that retirement plans experience cyberattacks.
The Callan Institute’s DC Observer reported, “…the focus of cyberattacks in the defined contribution (DC) world has shifted from hardened targets like recordkeepers and custodians to plan sponsors, which often lack the extensive cybersecurity defenses of their vendors.”
Cyberattacks can come in many forms. According to a December 2018 Pension Research Council Working Paper, they can include:
- Phishing: Cybercriminals pretend to be a trusted financial organization or vendor and request personal data. The e-mail requests usually include a link to a form where victims enter the requested information.
- Malware: This broad term refers to any type of malicious code that destroys or steals data or locks up computers or networks.
- Rogue software: Hackers sometimes disguise corrupt code as legitimate security software. Often, a pop-up window encourages system users to download software updates.
- Password identification: If cyber thieves are able to decipher passwords, they can easily access sensitive information. The National Institute of Standards and Technology recently revised its advice about passwords. The new advice is to keep passwords lengthy (within reason) and memorable. Passwords should be complex, but not too complex to where they have to be written down or stored electronically.
- Denial-of-service attacks: Attackers send an enormous volume of data requests until a network becomes overloaded and fails to function. These tend to be protests rather than attempts to steal data or money.
- “Man in the middle” attacks: By impersonating an organization’s login page, cybercriminals can access all information communicated between an organization and an individual (or another organization). That’s why recordkeepers and financial firms typically have encrypted access points.
- Drive-by downloads: When users visit a legitimate website, malware allows a program to be downloaded into their systems. A snippet of code can spread the program throughout a network. Detachable drives also can be used for this purpose.
A type of fraud that has been perpetrated against several large plan sponsors involves criminals accessing the personal data of plan participants via the dark web or other means of identity theft.
Once the data has been collected, the criminals contact plan sponsors or service providers, pretend to be the participant, and request distributions.
Often, protecting against cyberattacks means improving awareness among plan participants, administrators, and service providers.
Offering education about how to identify and avoid attacks and implementing appropriate security systems is critical.
Managing cyberthreats should be a priority
It is not possible to eliminate cyberattacks, but it is possible to strengthen protections against them.
In 2016, an ERISA Advisory Council (EAC) report suggested, “Plan sponsors and fiduciaries should consider cybersecurity in safeguarding benefit plan data and assets, as well as when making decisions to select or retain a service provider.”
The critical elements of cyber risk management strategies outlined by the EAC included:
- Understanding plan data. Plan sponsors must know what types of data are collected and how the data is used. As a general rule, they should only collect data that is necessary to plan operations because it is legally required or used in a specific business process.
- Understanding cybersecurity frameworks. Frameworks guide the processes and systems an organization puts in place to assess and improve its ability to identify, respond to, and prevent cyberattacks.
- Evaluating processes and assigning responsibility. Cybersecurity strategies are multifaceted and often include implementation, monitoring, testing, updating, reporting, training, controlling data access, and more. These processes and the parties accountable for overseeing them should be clearly defined.
- Customizing strategies. Plan sponsors should implement robust and adaptive strategies that meet the needs of their plans after considering resources, cost, insurance coverage, industry and governmental certifications, and organizational integration. The Council suggested plan sponsors seek the guidance of ERISA legal counsel, as well as cybersecurity experts.
- Considering state law. Plan sponsors should engage legal counsel to determine whether they have any legal obligations under state data security laws.
Managing cybercrime requires implementation of effective authentication tools and processes. Since many participants’ names, birth dates, and Social Security numbers are available on the dark web, traditional authentication measures are inadequate.
Alternatives, such as knowledge-based identifiers and biometrics, offer greater security.
However, even the knowledge-based data is increasingly available on the dark web, as more wide-spread data breaches occur.
In addition to adopting effective in-house security measures, plan sponsors also must evaluate the cybersecurity systems of plan service providers.
It’s a difficult task because service providers must maintain some degree of secrecy regarding the products and processes they use to safeguard data.
Similarly, it’s difficult to establish highly specific rules and regulations for cybersecurity without having them serve as a ‘how-to’ for cybercriminals.
Late last year, the Pension Research Council recommended plan sponsors engage third parties to audit service providers. The auditors would apply a consistent set of standards to help plan sponsors evaluate cybersecurity protocols.
Engaging third parties would give service providers flexibility to implement security frameworks that suit the needs of their enterprises, while a uniform standard and process for audits would offer plan sponsors assurance that the framework provides necessary protection.
While the fiduciary obligations of plan sponsors with respect to plan and participant data have not been clearly defined, a variety of entities—the Securities and Exchange Commission, Department of Labor, various industry organizations, and several states—have been working on guidelines and regulations for retirement benefits plans.
Cybersecurity is becoming more important for companies that operate in the retirement benefits space. If it is not a priority for your plan, you may want to reconsider.
Terry Dunne is senior vice president and managing director of Retirement Services at Millennium Trust Company, LLC. Mr. Dunne has over 35 years of extensive consulting experience in the financial services industry. Millennium Trust Company performs the duties of a directed custodian, and as such does not sell investments or provide investment, legal or tax advice.