DB Plans Can Take Proactive Steps to Protect Against Cybersecurity Threats

What questions should defined benefit plan officials ask about their cybersecurity protocols?

The recent cyber attack on the Missouri teachers’ pension fund, the Public School and Education Employee Retirement Systems (PSERS/PEERS), has exposed just how vulnerable some pensions can be when it comes to internet security.

With billions of dollars, data and personal information on the line, pensions are a prime target for cyber criminals. Unfortunately, however, some officials in the pension world may not take necessary proactive steps to best protect their funds.

“I’ve talked to people who said that ‘cybersecurity is a technical issue, and since we outsource technology, it’s not really my problem,’” says Alan Brill, senior managing director of cyber risk at Kroll, who has testified twice to Congress about the cybersecurity of defined benefit (DB) plans in the United States.

The hack at the Missouri fund occurred when an employee’s email account was accessed for less than an hour by someone outside the retirement system without authorization. The pension sent a notification to employees and beneficiaries informing them that “personal information may have been potentially exposed to an unauthorized individual.”

Brill says that if DB plans outsource cybersecurity, it doesn’t mean they can sit back and relax worry-free. “That’s 100% wrong. You are responsible for that data,” he says.

Instead, Brill recommends that pension funds discuss cybersecurity at meetings at least a couple times a year. During those meetings, he adds, they should be asking questions such as “‘How would we know if an incident occurred? What is the incident response plan? What are our cybersecurity standards?’” If the pension is employing a third party to handle cybersecurity, he encourages the board to direct these questions to the firm it has hired.

Pensions should also ensure they have some sort of 24/7 monitoring of their networks, as opposed to partial monitoring, Brill adds. This means most pensions should use an automatic software program built into the server that will immediately alert a security operations center if something goes wrong. “You can’t simply assume that because you didn’t get broken into last week, you’re probably OK in the future,” he says.

U.S. DB plans have only recently received federal guidance on best practices for cybersecurity. The Department of Labor (DOL) released a new set of guidelines for plan sponsors, plan fiduciaries, recordkeepers and plan participants this April. It was the first time the agency’s Employee Benefits Security Administration (EBSA) has issued cybersecurity guidelines.

This article was originally posted on CIO, a sister publication of PLANSPONSOR. The original article is available here.