Project Seeks to Expand Cyberattack Support for Retirement Plan Data
What are firms in the retirement industry doing to help protect against cyberattacks and the threat of financial and participant account information being held hostage?
A recent Bloomberg News article, “Wall Street Aims to Thwart a Hacking Nightmare for Your 401(k)
,” reports that there is a financial industry-led project — dubbed “Sheltered Harbor
” — that is seeking to expand a cyberattack backup program to 401(k) accounts and pension funds.
The program, which currently provides backup support for savings and checking account data and is beginning to incorporate retail brokerage accounts, aims to guard against cyberattacks and the potential for unauthorized access and loss of critical information. A summary guide notes that it is a voluntary initiative created by the financial services industry to provide financial institutions and their customers with an extra layer of protection in the event of a cyberattack.
The program was created by the Financial Services Information Sharing and Analysis Center and comprises nearly 50 of the nation’s largest financial firms, including banks, credit unions, brokerages, processors and financial trade associations.
According to Bloomberg, the initiative relies on a “buddy system,” in which companies pair up with the promise that if one is attacked, the other will provide the affected company “with a backup set of account information if hackers succeed in erasing or locking up files.” The article explains that even though many firms already have a backup system in place, such a system is not much help without a functioning network.
In essence, the program acts as a firewall by isolating the backup information away from a firm’s own network. Consumer data is stored and kept private by each institution, and is encrypted and protected from changes. In addition, the model assumes no central repository for protected accounts.
“If one company’s computer system is devastated, the backup account data can be activated on the partner’s network, giving affected customers access to their accounts within 24 hours or so,” Bloomberg says.
The article notes that the idea surfaced in 2014 following the hacking of Sony Corporation’s U.S. film division. The hackers deleted numerous sources of data and leaked private emails and information about upcoming movies. Financial industry executives apparently realized that a similar attack on even a small firm could damage confidence in the financial system, setting off an alarming chain of events throughout the industry.
While there currently is no comprehensive cybersecurity protocol for retirement plan administration at the federal level, the danger of cyberattacks seems to be garnering more and more attention in the retirement industry. A 2016 report by the DOL’s ERISA Advisory Council emphasizes that it is not a question of whether or not a company will be cyberattacked, but rather when, and what to do about it going forward. The report notes that common cyber risks to benefit plan participants include identity theft, privacy breaches and theft of assets, and that the cost of a breach can be substantial. The Council suggested that plan sponsors and fiduciaries consider a framework upon which to base their cybersecurity risk management strategy and identified several key components of a cybersecurity strategy.
Moreover, as a way to help plan sponsors ensure that employees’ retirement plan information is protected, the SPARK Institute in September 2017 outlined new industry best practices for how recordkeepers should report their cybersecurity capabilities to plan sponsors and plan consultants.