As more and more retirement plan data hit
cyberspace, sponsors need to keep up with the latest
precautions to ensure privacy and prevent online
» Real or imagined?
Certificates and insurance
Angela Reynolds, director of retirement planning and
consulting at data technology conglomerate NCR Corporation
in Dayton, Ohio, spent a year bringing her $1.9 billion
401(k) plan online. Now, Reynolds is starting to put
information on NCR's $3.5 billion defined benefit plan
online as well to help employees calculate what their
monthly payments would be at various termination dates.
All well and good, and yet Reynolds is treading very
cautiously. Because, chances are that, at this very moment,
someone is devising a way to hack into her plan data.
Participant demand for Net-related services has not been
lost on employers. Whereas Plan Sponsor's 1999 Defined
Contribution Services Survey found three-quarters of 401(k)
plan participants able to pull up account balances via the
Web, our 2000 survey, released last month, found nearly 90%
tapping the Net for that purpose. This means plan sponsors
must face the fact that a new "worm" or other
security-breaking program introduced from the outside could
allow hackers to:
* Alter or delete account files accessible by
participants online * Set up phony participants who could
then apply for loans and collect benefits * Change or steal
PINs for undetected use by those wanting to view another's
personal information or steal their savings by having
checks diverted to a different address.
And while external hackers are a serious problem,
Reynolds knows that NCR's plans also are vulnerable from
within. Disgruntled employees often have the greatest
meansand incentiveto vandalize or defraud your system,
This year, 38% of incidents involving corporate computer
crime "originated from internal sources, and 59% from the
outside, with 3% unclear," says Scott Charney, a partner
with PricewaterhouseCoopers' Dispute Analysis and
Investigations Group in Washington. (Charney cites data
from a Computer Security Institute Issues and Trends survey
representing the views of 443 corporate information
Loan fraud or privacy breaches committed by divorced
spouses who know PINsor even rogue human resource
employeesalso may be quick and anonymous in the digital
Real or imagined?
Whereas an FBI spokesperson could not point to specific
cases where hackers had targeted retirement plans,
anecdotal evidence suggests that attacks occur
frequentlythough they often may go unreported. "Generally,
there isn't a day that goes by when somebody doesn't try to
get in," CIGNA informally told Carl Gold, vice president of
administration at Fuji Photo Film U.S.A.'s $100 million
defined contribution plan in Elmsford, New York.
"Unofficially, they say unauthorized account entry attempts
are a very common thing. It may be people who've forgotten
their password, or it may be people from the outside," says
Gold. "It's hard for them to distinguish between the
Former Department of Labor investigator Sherwin Kaplan,
now with Washington law firm Piper Marbury Rudnick &
Wolfe, thinks security is an especially critical issue for
mid-size pension plans, which may lack the resources of
their larger peers. Kaplan recalls several cases back in
the 1980s involving major Taft-Hartley plans where phantom
employees were createdboth to file medical claims and to
build up pension credits to draw on. While these cases of
data manipulation were paper-based, "that type of (illegal)
thing could be done today on the Internet," Kaplan says,
and with much greater efficiency. "Today, I can
electronically access my bank account or medical records...
Therefore, so can others."
"I've heard stories that have given me prickles on the
back of my neck," says a DoL spokesperson. "Statistics show
that [retirement plan] vendors must have had attacks," adds
Compuware Corporation human resource research manager Joe
Schuster, whose company sponsors a $300 million 401(k)
plan. "But, advertising you resolved a hacker problem
entices other hackers to test it."
Clearly, security breaches across the financial services
landscape and elsewhere are keeping pace with the
Internet's explosive growth. A few for-instances:
* In the summer of 1994, Russian hackers broke into
Citibank's computers and completed $10 million in
unauthorized transfers?E400,000 of which was never
recovered. * In February 2000, attack software was found
(but disarmed before deployment) on the servers of some of
the nation's largest banks. * A survey published in March
2000 by the Washington-based Computer Security Institute
found 90% of respondents, mostly big corporations and
government agencies, had detected security breaches over
the previous 12 months. * A list of "hacked" sites that is
available at attrition.org/mirror/attrition reports 48
banks recently were cracked. * Industry giant Microsoft
Corporation endured a 12-day attack in October 2000, where
hackers gained access to its well-guarded, highly secret
product source codesthe equivalent of seeing Kentucky
Fried Chicken's secret herbs and spices recipe. Advanced
"worm" technology was credited for the break-in.
"We really believe the Internet is where the benefits
field is moving," says NCR's Reynolds. That is why, "in our
RFP process, we gave the greatest weighting to technology
and data security." NCR chose Fidelity: in 1996, the first
company to offer online defined contribution account
access. Impressed with Fidelity's answers to NCR's
in-depth, defined contribution RFP technological section,
Reynolds is committing its defined benefit online
calculation service (and the data that feed it) to Fidelity
Reynolds worked closely with her own information
technology people to make sure the vendor she ultimately
hired would cover every possible base. In terms of disaster
recovery, for instance: "We want to know in detail what
their internal auditing procedures are, and all their
security features for any type of online accessbe it
Internet, intranet, or extranet. We really dig into their
During the conversion process, NCR's technology team
went over nearly every aspect of Fidelity's Web security
system from firewalls, encryption techniques, and PIN
security to fraud, virus protection, and internal audit
procedures. NCR's IT people are also involved in the
implementation process to ensure compliance with the
standards agreed to in the client contract, notes Reynolds.
Thus far, however, NCR has stopped short of buying computer
Between protections instituted by NCR's own information
staff and Fidelity's, Reynolds feels that plan
participants' accounts and personal informationnot to
mention her jobare safe, at least for now. And yet, she
knows there are plenty of ways to compromise the security
of account and administrative information residing on the
Internet that she and her vendor may have never considered.
In one incident recounted by an anonymous government
source, a number of plan participants shared their
passwords with a trading service, allowing the service
direct access to their accounts for "timelier" trading.
Needless to say, whenever unauthorized users gain access to
a plan, its integrity is compromised. And, it is usually
the plan sponsor that has the ultimate fiduciary
responsibility for such breaches.
Compuware's Schuster, whose technological resources are
state-of-the-art, admits he has been pretty relaxed about
his 401(k)'s data security. His last vendor review occurred
during an RFP process undertaken two and a half years
But, Compuware probably should be thinking about hacker
attacks, he says, "because that can happen to any
The Pension Benefit Guaranty Corporation has already
proved that to be true. Between May and July of 1999, its
consultant, PricewaterhouseCoopers, tested the computer
systems for vulnerabilities. While unable to crack PBGC's
Net security, the pseudo-hackers gained access to network
systems via other phone lines and hacker dialing software.
Network servers, plan data, and e-mail all were entered
through unprotected pathways. Fortunately, these holes were
plugged before detection by outsiders.
"We're only seeing the beginning of the battle between
those that are going to access sites and take money in the
online world and the people who are trying to prevent it,"
says R Brad Oates, president of Lexis-Nexis Risk Solutions
Group in Dallas that specializes in fraud audits and data
risk exposure consulting. "There's going to be a chess
match; a lot of very bright people are waking up every day
thinking about how they can scam the system. My sense with
a pension plan is there are scams to be had."
Oates, a former bank chairman, believes the anonymous
electronic environment makes pension funds prime targets
for fraud. That is why identity verification online is so
key. "One problem is real people who are able to
electronically apply for and receive greater benefits than
they are entitled to because of loopholes in electronically
verifying their facts," Oates says. "Or they may be able to
go in and alter the entitlement facts. Second, someone
could take on another's identity and divert money via
fraudulent loans or changing the address to which benefits
are sent. An estranged spouse with knowledge of PINs and
personal information is a good example," though no one
interviewed for this article was aware of a specific
instance like this.
Certificates and insurance
Oates thinks digital certificates may be the answer to
account privacy concerns. The certificates are digital
identities composed of bits of personal information that
only authorized individuals would know. "Digital
certificate technology would allow for the safe
transactional flow of benefits to beneficiaries," he says.
"These incorporate Level Four identity verification, which
is the highest level we can provide."
"What people [also] do is insure these kinds of risks
with Errors and Omissions coverage," says Oates.
In one insurance arrangement that is still considered
unusual, Lloyd's of London offers $100 million worth of
coverage to clients of the San Jose, California-based
computer security firm Counterpane Security. The policy
addresses monetary losses sustained if a hacker breaks
through Counterpane's security defenses and manipulates
customer data. Should that happen, Lloyd's is expected to
cover it, says a Counterpane spokesperson.
Just be sure to "use bonded vendors who will stand
behind the risk if information is shared or used
inappropriately," Oates cautions. And, remember there are
no 100% guarantees against data being lost, stolen,
destroyed, or subjected to unauthorized access. "Perfectly
executed household fraud is very difficult to catch,"
Schuster believes that, if you have not reviewed your
vendors' online delivery systems within the last 12 months,
you may have new privacy and security exposures going
uncorrected, like the recently deployed worm that hit
"In the pension world, you have to have the highest
safeguards because of the social risk," Oates concludes.
"People are relying on that money as their life savings. If
that gets disrupted, the social outrage is much greater
than with virtually any other financial services provider.
At the end of the day, it's your reputation."