Individuals’ financial information is so valuable that identity thieves will do just about anything to steal it, including gaining entry into retirement plan records that aren’t properly protected. But there is something you can do. You can act first — before the break-in even takes place.
Are Retirement Plans at Risk?
Like any electronic environment, the one in which TPAs and recordkeepers function can be breached. “While hacking is nothing new, the pace of large-scale cyberattacks has accelerated significantly in recent years,” says the Callan Institute in its Second Quarter 2018 newsletter feature, “Your Plan Will Face a Cyberattack. Here’s How to Prepare.” It continues, “More worrisome for many plan sponsors, the focus of cyberattacks in the defined contribution world has shifted from hardened targets like recordkeepers and custodians to plan sponsors, which often lack the extensive cybersecurity defenses of their vendors.”
In a post on McGuireWoods’ blog, “Cybersecurity and Retirement Plans,” Attorney Maria Rasmussen says, “It seems that most employees and plan participants ‘think’ their retirement money and data are not at risk.” She continues, “retirement plans are particularly at risk for cybersecurity incidents because of the nature of the data maintained in connection with employer and third party administrator intranet and websites.” The factors to which she attributes that include:
- the electronic environment in which they operate;
- benefit plan information includes sensitive employee information that is often shared with multiple third parties;
- cybersecurity planning for employers generally does not incorporate benefit plans;
- benefit plans are not regulated in the same manner as other businesses that handle personal data;
- regulations that govern businesses do not cover benefit plans in the same way; and
- software that protects against viruses and spam, as well as authentication methods such as passwords can lull plan administrators, sponsors and participants into a false sense of security.
What Are the Threats?
“Cyberthreats can take many forms and involve a wide variety of malicious actors… And the cyber threat landscape continues to evolve, driven in part by the ever-changing security requirements that accompany developing technologies,” Callan says. According to Rasmussen, the threats to retirement plans include fraudulent transfers of participant plan assets, phishing and ransomware attacks. She adds that especially at risk are:
personally identifiable information, including Social Security numbers, dates of birth, beneficiary information and e-mail addresses; and
employee/participant enrollment data, such as information on account balances, plan assets, direct deposits, compensation and payroll, as well as other financial data.
Callan adds that employees using their personal devices at work, the rise in connected devices such as Amazon’s Echo speakers — sometimes referred to as the “Internet of Things” (IoT) — and increased adoption of cloud-based applications and data storage also put retirement plans and participants at risk.
And, Callan warns, there is more to worry about than just the risk to technology. “It is a people issue as well,” they say. But that can be inadvertent as well as nefarious. They found that 17% of breaches resulted from “casual” errors, 17% were social attacks, and 12% involved misuse of privilege.
Who perpetrates those risks? Callan reports that they found that for almost three-quarters of breaches — 73% — outsiders were responsible; organized crime was responsible for 50% of them; 28% of breaches involved internal actors; and 12% involved parties connected to foreign nations.
It’s not enough to simply react, both suggest. “Organizations and governments typically have taken a reactive approach to cyberthreats, addressing them after an incident,” says Callan, adding that doing so is not only “expensive and complex, it is also largely ineffective.” Both Callan and Rasmussen offer ideas regarding steps that can be taken to stop a cyberattack from happening in the first place.
Callan recommends setting up a security framework, and says that such an effort typically entails the following steps.
- Perform risk assessment to understand the overall cybersecurity risk to the organization.
- Create policies and procedures for governance and to protect information.
- Conduct awareness education and training.
- Establish protocols to control access to data and who can access it.
- Manage plan information and participant data to protect data security.
- Employ protective technology and use software to ensure the systems’ security and resilience.
- Maintain systems in a way that is consistent with procedures and policies.
Rasmussen adds other options to consider:
Encourage plan participants to choose strong passwords, change them often, be careful to keep passwords private, log out completely from any sites related to the plan and consider requiring them to provide two forms of authentication to gain access to retirement accounts.
Consider retaining an outside firm to conduct audits of plan security.
Callan suggests answering seven questions in order to be better prepared against a cyberattack:
- What is the internal risk?
- Where does data go and how is it transmitted and stored?
- Have you conducted appropriate due diligence on your vendors and their partners?
- How do you define a “breach”? How do your vendors?
- How do you monitor vendors’ internal processes and procedures and those of their external partners?
- Do contracts and agreements cover indemnification, notification and remediation?
- What processes do you follow when there is a breach?
Another option, Callan and Rasmussen suggest, is to open a cyberinsurance policy, which is used to protect against breaches that affect information technology, infrastructure and related activities. Such coverage, Callan says, usually is not part of traditional commercial general liability policies. But exercise care, Callan argues: “Ultimately, cyberinsurance must be viewed as more than a commodity, and policy buyers should be careful to investigate both what is covered and what events trigger coverage.”
And remember that needs change, Callan cautions. “Cybersecurity is a constantly evolving, high-priority task for plan sponsors,” the report warns. Callan argues that means to protect data will need continued development and adaptation as opportunities to steal information do.