Feature | Published in December 2000

Halting the Hackers

As more and more retirement plan data hit cyberspace, sponsors need to keep up with the latest precautions to ensure privacy and prevent online pilfering

By Ann Bidou | December 2000

As more and more retirement plan data hit cyberspace, sponsors need to keep up with the latest precautions to ensure privacy and prevent online pilfering

» Real or imagined?
» PBGC's "sneaker"
» Certificates and insurance

Angela Reynolds, director of retirement planning and consulting at data technology conglomerate NCR Corporation in Dayton, Ohio, spent a year bringing her $1.9 billion 401(k) plan online. Now, Reynolds is starting to put information on NCR's $3.5 billion defined benefit plan online as well to help employees calculate what their monthly payments would be at various termination dates.

All well and good, and yet Reynolds is treading very cautiously. Because, chances are that, at this very moment, someone is devising a way to hack into her plan data.

Participant demand for Net-related services has not been lost on employers. Whereas Plan Sponsor's 1999 Defined Contribution Services Survey found three-quarters of 401(k) plan participants able to pull up account balances via the Web, our 2000 survey, released last month, found nearly 90% tapping the Net for that purpose. This means plan sponsors must face the fact that a new "worm" or other security-breaking program introduced from the outside could allow hackers to:

* Alter or delete account files accessible by participants online * Set up phony participants who could then apply for loans and collect benefits * Change or steal PINs for undetected use by those wanting to view another's personal information or steal their savings by having checks diverted to a different address.

And while external hackers are a serious problem, Reynolds knows that NCR's plans also are vulnerable from within. Disgruntled employees often have the greatest means—and incentive—to vandalize or defraud your system, experts note.

This year, 38% of incidents involving corporate computer crime "originated from internal sources, and 59% from the outside, with 3% unclear," says Scott Charney, a partner with PricewaterhouseCoopers' Dispute Analysis and Investigations Group in Washington. (Charney cites data from a Computer Security Institute Issues and Trends survey representing the views of 443 corporate information specialists.)

Loan fraud or privacy breaches committed by divorced spouses who know PINs—or even rogue human resource employees—also may be quick and anonymous in the digital environment.


Real or imagined?

Whereas an FBI spokesperson could not point to specific cases where hackers had targeted retirement plans, anecdotal evidence suggests that attacks occur frequently—though they often may go unreported. "Generally, there isn't a day that goes by when somebody doesn't try to get in," CIGNA informally told Carl Gold, vice president of administration at Fuji Photo Film U.S.A.'s $100 million defined contribution plan in Elmsford, New York. "Unofficially, they say unauthorized account entry attempts are a very common thing. It may be people who've forgotten their password, or it may be people from the outside," says Gold. "It's hard for them to distinguish between the two."

Former Department of Labor investigator Sherwin Kaplan, now with Washington law firm Piper Marbury Rudnick & Wolfe, thinks security is an especially critical issue for mid-size pension plans, which may lack the resources of their larger peers. Kaplan recalls several cases back in the 1980s involving major Taft-Hartley plans where phantom employees were created—both to file medical claims and to build up pension credits to draw on. While these cases of data manipulation were paper-based, "that type of (illegal) thing could be done today on the Internet," Kaplan says, and with much greater efficiency. "Today, I can electronically access my bank account or medical records... Therefore, so can others."

"I've heard stories that have given me prickles on the back of my neck," says a DoL spokesperson. "Statistics show that [retirement plan] vendors must have had attacks," adds Compuware Corporation human resource research manager Joe Schuster, whose company sponsors a $300 million 401(k) plan. "But, advertising you resolved a hacker problem entices other hackers to test it."

Clearly, security breaches across the financial services landscape and elsewhere are keeping pace with the Internet's explosive growth. A few for-instances:

* In the summer of 1994, Russian hackers broke into Citibank's computers and completed $10 million in unauthorized transfers?E400,000 of which was never recovered. * In February 2000, attack software was found (but disarmed before deployment) on the servers of some of the nation's largest banks. * A survey published in March 2000 by the Washington-based Computer Security Institute found 90% of respondents, mostly big corporations and government agencies, had detected security breaches over the previous 12 months. * A list of "hacked" sites that is available at reports 48 banks recently were cracked. * Industry giant Microsoft Corporation endured a 12-day attack in October 2000, where hackers gained access to its well-guarded, highly secret product source codes—the equivalent of seeing Kentucky Fried Chicken's secret herbs and spices recipe. Advanced "worm" technology was credited for the break-in.

"We really believe the Internet is where the benefits field is moving," says NCR's Reynolds. That is why, "in our RFP process, we gave the greatest weighting to technology and data security." NCR chose Fidelity: in 1996, the first company to offer online defined contribution account access. Impressed with Fidelity's answers to NCR's in-depth, defined contribution RFP technological section, Reynolds is committing its defined benefit online calculation service (and the data that feed it) to Fidelity as well.

Reynolds worked closely with her own information technology people to make sure the vendor she ultimately hired would cover every possible base. In terms of disaster recovery, for instance: "We want to know in detail what their internal auditing procedures are, and all their security features for any type of online access—be it Internet, intranet, or extranet. We really dig into their system."

During the conversion process, NCR's technology team went over nearly every aspect of Fidelity's Web security system from firewalls, encryption techniques, and PIN security to fraud, virus protection, and internal audit procedures. NCR's IT people are also involved in the implementation process to ensure compliance with the standards agreed to in the client contract, notes Reynolds. Thus far, however, NCR has stopped short of buying computer crime insurance.

Between protections instituted by NCR's own information staff and Fidelity's, Reynolds feels that plan participants' accounts and personal information—not to mention her job—are safe, at least for now. And yet, she knows there are plenty of ways to compromise the security of account and administrative information residing on the Internet that she and her vendor may have never considered. In one incident recounted by an anonymous government source, a number of plan participants shared their passwords with a trading service, allowing the service direct access to their accounts for "timelier" trading. Needless to say, whenever unauthorized users gain access to a plan, its integrity is compromised. And, it is usually the plan sponsor that has the ultimate fiduciary responsibility for such breaches.

Compuware's Schuster, whose technological resources are state-of-the-art, admits he has been pretty relaxed about his 401(k)'s data security. His last vendor review occurred during an RFP process undertaken two and a half years ago.

But, Compuware probably should be thinking about hacker attacks, he says, "because that can happen to any system."


PBGC's "sneaker"

The Pension Benefit Guaranty Corporation has already proved that to be true. Between May and July of 1999, its consultant, PricewaterhouseCoopers, tested the computer systems for vulnerabilities. While unable to crack PBGC's Net security, the pseudo-hackers gained access to network systems via other phone lines and hacker dialing software. Network servers, plan data, and e-mail all were entered through unprotected pathways. Fortunately, these holes were plugged before detection by outsiders.

"We're only seeing the beginning of the battle between those that are going to access sites and take money in the online world and the people who are trying to prevent it," says R Brad Oates, president of Lexis-Nexis Risk Solutions Group in Dallas that specializes in fraud audits and data risk exposure consulting. "There's going to be a chess match; a lot of very bright people are waking up every day thinking about how they can scam the system. My sense with a pension plan is there are scams to be had."

Oates, a former bank chairman, believes the anonymous electronic environment makes pension funds prime targets for fraud. That is why identity verification online is so key. "One problem is real people who are able to electronically apply for and receive greater benefits than they are entitled to because of loopholes in electronically verifying their facts," Oates says. "Or they may be able to go in and alter the entitlement facts. Second, someone could take on another's identity and divert money via fraudulent loans or changing the address to which benefits are sent. An estranged spouse with knowledge of PINs and personal information is a good example," though no one interviewed for this article was aware of a specific instance like this.


Certificates and insurance

Oates thinks digital certificates may be the answer to account privacy concerns. The certificates are digital identities composed of bits of personal information that only authorized individuals would know. "Digital certificate technology would allow for the safe transactional flow of benefits to beneficiaries," he says. "These incorporate Level Four identity verification, which is the highest level we can provide."

"What people [also] do is insure these kinds of risks with Errors and Omissions coverage," says Oates.

In one insurance arrangement that is still considered unusual, Lloyd's of London offers $100 million worth of coverage to clients of the San Jose, California-based computer security firm Counterpane Security. The policy addresses monetary losses sustained if a hacker breaks through Counterpane's security defenses and manipulates customer data. Should that happen, Lloyd's is expected to cover it, says a Counterpane spokesperson.

Just be sure to "use bonded vendors who will stand behind the risk if information is shared or used inappropriately," Oates cautions. And, remember there are no 100% guarantees against data being lost, stolen, destroyed, or subjected to unauthorized access. "Perfectly executed household fraud is very difficult to catch," admits Oates.

Schuster believes that, if you have not reviewed your vendors' online delivery systems within the last 12 months, you may have new privacy and security exposures going uncorrected, like the recently deployed worm that hit Microsoft.

"In the pension world, you have to have the highest safeguards because of the social risk," Oates concludes. "People are relying on that money as their life savings. If that gets disrupted, the social outrage is much greater than with virtually any other financial services provider. At the end of the day, it's your reputation."