How Should a Plan Sponsor Respond to a Data Breach?

The data breach incident that took place at J.P. Morgan Chase in February, impacting more than 451,000 plan participants, serves as an opportunity for plan sponsors to reflect on their own cybersecurity practices and consider what action they would take if they found themselves in a similar situation. 

According to J.P. Morgan, three authorized system users who are employed by the company’s customers or their agents accessed participant data they were not entitled to see due to a software system issue. A spokesperson said there was no indication of data misuse and clarified that this was “not a cyberattack.” 

J.P. Morgan applied a software update once the firm was aware of the issue. The bank is also offering individuals affected by the breach two years of identity theft protection services.  

But if a plan sponsor, who, for example, uses J.P. Morgan as its recordkeeper, is notified of a breach in which participant information has been exposed, what should be its plan of action? 

Tim Rouse, executive director at the SPARK Institute Inc., says before an incident even occurs, plan sponsors should speak with their vendors about having an incident response plan, which is typically a written document, formally approved by an organization’s senior leadership team, that helps the organization mitigate risk before, during and after a security incident. 

Rouse adds it is important for plan sponsors to understand which systems were impacted by the breach and to determine whether they can isolate those systems and contain the problem. Once the problem is contained and steps have been taken to mitigate the breach, a sponsor needs to have a plan for how the organization will communicate the issue with its participant base. 

“Unfortunately, these incidents will continue to happen, and no one is immune,” Rouse says.  

Once a plan sponsor is happy with its incident response plan, Rouse says it should be used as a “scorecard” to evaluate vendors.  

“It is definitely important to understand from your vendor what the remediation process is for the incident and to track progress,” Rouse says.  

David Donaldson, president of risk management firm and 3(16) fiduciary ERISA Smart, and formerly a senior investigator at the Department of Labor, says retirement plans are increasingly becoming a target for identity theft. 

“Most people’s largest liquid asset is their retirement plan, and [it’s an] account that people don’t frequently monitor,” Donaldson says.    

In response to this increase in data theft, Donaldson launched Participant I.D. last year, a spinoff company, which uses facial recognition software, as well as government identification verification—through requiring participants to scan in their driver’s licenses—and an artificial intelligence-driven system to give a fraud score to a participant login.  

While most retirement accounts use two-factor authentication, Davidson argues that three-factor authentication is more secure, which is what Participant I.D. uses.  

Different Types of Breaches 

When a breach occurs, Rouse explains there are different stages. While the J.P. Morgan incident was not a cyberattack that came from outside the organization, Rouse says a typical cyber breach would involve someone gaining access to participants’ personal information. Then, the actor often packages the information and sells it to another nefarious party who can potentially get into bank accounts or retirement accounts using that information. 

“Stealing data or protecting against a ransomware attack is one function,” Rouse says, but actual theft of money out of retirement accounts is a separate issue. 

If a cyberattack gets to the more dangerous point, where participants’ assets are accessed, Donaldson says it is important to have increased oversight on the distributions that are being approved from participants’ accounts. 

“Plan sponsors don’t take the time to fully vet distributions,” Donaldson says. “In most instances, they get an email from the recordkeeper that there’s a distribution that needs to be approved. With old systems, [the plan sponsor] clicks a button and that approves [the distribution]. Very little due diligence goes into making distributions from plans.” 

Donaldson says this lack of oversight is more prevalent at larger companies. 

“If you have a 20-person plan, typically the plan sponsor knows who’s recently [left the company] and is taking a distribution,” Donaldson says. “But when you get into these larger plans, you don’t know all 100 or 1,000 employees … because operating a plan takes time away from business-building activities, and to be able to approve a distribution without having to do any work is the easy way to mitigate that time constraint that distributions have on the plan sponsor.” 

When a breach occurs in general, Donaldson says it is important for plan sponsors to communicate with their recordkeeper, obtain a list of participants they believe were jeopardized and ensure that those participants were properly notified.  

Donaldson notes that technology is advancing rapidly, and hackers are now using sophisticated technology and AI to steal identities.  

“The [retirement] industry has been very slow to react,” Donaldson says. “The technology being used in our industry is just old and needs to be updated… The key is for the industry to step up in terms of their tools. And plan sponsors need to either start being more diligent or outsourcing their distributions [to secure software systems].”