Cybersecurity has been a growing concern across all parts of life in the digital age.
The retirement plan industry is no stranger to data breaches and fraud. In 2008, State Street send notifications to employees and some customers of the former Investors Financial Services Corp. (“IBT”) that computer equipment containing certain personal data was stolen from a vendor’s facility. According to a press release, IBT—a firm that State Street acquired in 2007—had had engaged an unnamed vendor for legal support services. In 2012, Federal Thrift Savings Plan (TSP) participants’ data was compromised due to a cyberattack on a third party service provider’s computer. In 2015, the Katy, Texas, Independent School District (ISD) reported a data breach affecting more than 11,000 employees. A flash drive containing information about 403(b) or 457(b) plan participants that was given to an IRS agent was lost.
More recently, retirement plan fiduciaries have been sued for data breaches of participants’ accounts regarding unauthorized distributions. A former participant in the Estee Lauder 401(k) plan has sued the plan sponsor and plan providers for failing to safeguard her retirement account. According to the complaint, in September and October 2016, an unknown person or persons stole the participant’s retirement savings by withdrawing a total of $99,000 in three separate unauthorized distributions from her account in the plan. The lawsuit names as defendants Estee Lauder; Alight Solutions, whose predecessor Hewitt Associates was the recordkeeper to the plan at the time; and State Street Bank & Trust, the plan’s custodian.
In an article in PLANADVISER magazine—PLANSPONSOR magazine’s sister publication—David Kaleda, with Groom Law Group, Chartered, notes that in another case, Leventhal v. MandMarblestone Group LLC, a participant in a 401(k) sponsored by his employer, presents that over a period of time, the plan distributed $400,000 based upon fraudulent withdrawal forms submitted to the plan administrator by unknown persons. Interestingly, the participant used the withdrawal forms required by the plan administrator to request a $15,000 distribution, which the plan paid to him. However, the unknown persons somehow obtained a copy of that withdrawal form using an “unknown method of cyberfraud possibly relating to the electronic transmission of [the original] form.” The fraudsters sent to the plan administrator withdrawal forms from an address that appeared to be from the participant’s employer. On those forms, the fraudsters requested that the payments be made to a bank account that was different than the one to which the plan paid the $15,000.
Plan sponsor steps to ensure cybersecurity
All of these incidents point to a need for stronger cybersecurity defenses by plan sponsors and plan providers.
Although the U.S. courts have yet to decide whether managing cybersecurity risk is a fiduciary function, the ERISA (Employee Retirement Income Security Act) Advisory Council has asked the Department of Labor (DOL) to issue guidance for retirement plan cybersecurity. In addition, lawmakers have asked the Government Accountability Office (GAO) to examine cybersecurity in the U.S. retirement system.
Retirement plan sponsors want to know their service providers are taking steps to protect participant data, but providers are concerned about releasing confidential information. These concerns are why The SPARK Institute came up with a framework for cybersecurity disclosure by plan providers. It includes 16 identified critical data security control objectives, and requires plan providers to use an independent third-party auditor. Each audited report, regardless of the security framework used, must include a detailed report showing identified controls mapped to one of SPARK’s 16 control objectives.
Those 16 control objectives are:
- Risk assessment and treatment;
- Security policy;
- Organizational security;
- Asset management;
- Human resource security;
- Physical and environmental security;
- Communications and operations management;
- Access control;
- Information systems acquisition development;
- Incident and communications management;
- Business resiliency;
- Supplier risk; and
- Cloud security.
Allison Itami, principal at Groom Law Group in Washington, D.C. explains that the framework is trying to reach the goal of providing a format for plan sponsors to look at different providers and compare apples to apples. “A plan sponsor can take the approach of asking the 16 questions, but that is not efficient, and they might run into resistance about giving detailed information that could be used by hackers,” she says.
But, “The onus of safeguarding plan participants from fraud, no matter its source, does not fall solely on the recordkeeper. Both DC plan sponsors and recordkeepers need to agree on fraud-resistant processes that are clearly documented, rigorously implemented and consistently followed,” say Andy Adams and Jay Schmitt, principals of Strategic Benefits Advisors.
They recommend being risk averse, not speed oriented. “In practice, too much emphasis on speed has compromised processes meant to safeguard participant assets and contributed to the rise in DC plan fraud. Both plan sponsors and recordkeepers should consider that the most fraud-resistant protocols aren’t always the fastest.”
They also recommend “balancing the books.” They say, “It’s incumbent on plan sponsors to make sure recordkeepers reconcile clearing and distribution accounts frequently (preferably daily) and accurately, with every transaction clearly identified. When checks go uncashed, there should be clear protocols for locating the intended recipients and a definitive timeline for returning uncollected funds to the plan.”
The two say checks and balances should be in place. “In our opinion, no single employee should have the power both to change a participant’s mailing address and to reissue a check. Separating duties like these is a simple way to protect participants and reduce plan sponsor liability. However, should a recordkeeper make a compelling case for combining these tasks into a single role, the plan sponsor would be wise to enforce an approval process and require an audit trail that documents every transaction in the recordkeeper’s system—even manual adjustments.”
“Finally, plan sponsors should require thorough background checks for anyone with access to DC plan accounts or participant data. Background checks should be conducted not just at hire but on an ongoing basis,” Adams and Schmitt say.
According to Joan Neri, counsel in Drinker, Biddle & Reath’s ERISA practice, the first thing sponsors should do is ensure that their fiduciary insurance policies have riders that cover cyber breaches. “A lot of insurance companies are now offering standalone cyber insurance that is far more complete than a rider,” she adds. “They include things such as access to cyber breach response experts, credit monitoring and technical assistance with public relations.”
When hiring service providers, sponsors should also look to see whether or not they have a clause about how they handle cybersecurity in their contract, Neri says. “The contract should address limitations and restrictions on how the service provider is using the plan data. They should be encrypting data and destroying data they no longer use, and, if they have subcontractors, it should spell out how they interact with them.”
Most importantly, it should detail “how they will respond to a cybersecurity breach and how they will take efforts to prevent future occurrences,” Neri says. “They should also state that they will preserve evidence because it might be needed to track down the person who perpetrated the breach. It should also include language that they agree to be liable in the event of a breach, and that they will share the costs.”
Some providers are now offering cybersecurity guarantees.
The role of participants
There are steps plan sponsors should encourage participants to take as well to protect their retirement plan accounts.
For starters, participants need to register their accounts online, says Charlie Nelson, CEO of Voya Retirement. Ensuring participants have registered can provide an additional degree of security in knowing that no one else is registering on a participant’s behalf.
“We sometimes hear people say, ‘My account is safe because I never registered for online access.’ That can be misguided. Fraudsters will sometimes try to get access to an unregistered account so they can set the original data points, such as a phone number or other piece of information,” Nelson says.
An approach participants are always urged to employ is creating a strong, complex password. Constructing these passwords are common sense, says Ted Schmelzle, senior director of Retirement Solutions at Securian Financial, along with updating anti-virus malware on personal computers to reflect current models and avoiding links from unknown users.
Additionally, participants should be aware of what material they’re adding to their social media accounts. Profile information, including the city in which a participant lives, a photo of the company they work for, or even political opinions, for example, can expose individuals to hackers.
Possibly one of the top methods in preventing breaches, attacks and hacks is two-factor or multi-factor authentication. A stronger back-up to secure passwords, it allows participants to sign into their account in multiple steps, which may include inputting their password and approving it on another device (such as cellphones and tablets).
The Federal Thrift Savings Plan will require tougher online security measures for its participants by the end of the year. The Federal Retirement Thrift Investment Board says all participants must validate their contact information and set up two-factor authentication for their online TSP accounts. The board recommends participants include at least one contact method that will stay with them throughout their careers.
The approach can prove inconvenient for some. A 2017 report by SecureAuth, an adaptive authentication firm, found 74% of respondents using two-factor authentication said they have received complaints about the process from their users.
“Convenience is a small price to pay for the additional security,” says Schmelzle.
« How the SECURE Act Will Impact 403(b) Plans