Evolving Cybersecurity Landscape Pressures Plan Sponsors

Being fiduciaries under the Employee Retirement Income Security Act (ERISA), retirement plan officials are tasked with monitoring and managing cybersecurity risk as they invest participant dollars.

As outlined in a new report from Corporate Insight, “Trends in Online Security: 1996 to Today,” this is no simple task, and it has grown markedly more complex in the last two decades as the role of big data technology has ramped up in the retirement industry.

Prior to the year 2000, researchers explain, main employee and employer account login identifiers were assigned as simple firm-related IDs or account numbers. Few firms allowed for “cookied” account numbers within web browsers. Then, from 2001 to 2006, the rate of security systems development significantly accelerated, as service providers introduced automatic logout after inactivity, the ability to set/change passwords online, and multi-factor authentication. Increasingly, Corporate Insight explains, firms launched linked account services, allowing one username to access multiple accounts.

Most recently, custom security questions and text/email codes have replaced older fashioned security images. In addition, text or email alerts now inform clients when an unrecognized device attempts login, successfully or unsuccessfully. Additional precautions have broadly been put in place for changing passwords, and mobile app touch ID and face ID authentication have become available on supporting devices.

In the years ahead, Corporate Insight expects a very strong focus on the issue of cybersecurity among retirement plan providers and investment managers, putting the impetus on plan officials to ensure they understand the evolving product/provider landscape. Researchers cite the painful example set by the massive Equifax data breach as one of the prime motivators for service providers to beef up their security skills.

“Corporate Insight visited the annual Finnovate Conference this year, one week after the Equifax breach, and viewed new technologies aimed at protecting data,” researchers note. “More than one focused on authentication through a second device, enhancing the unreliable text and email verification methods by using proximity-based technology or device hardware to identify a client by their phone or wearable device.”

As mobile devices and voice technology gain popularity, firms must continue to make the login process as secure and efficient as possible, Corporate Insight urges.

“More and more brokerages provide Amazon Alexa Skills for clients to access basic market information and account data. For logging in to such devices, text authentication proves to be the most common measure,” researchers explain. “It will be interesting to see if voice authentication increases in popularity as virtual assistant devices become more responsive to individual voices.”

Turning specifically to retirement plan providers, there is a growing movement to improve understanding and responses to data security issues. For example, recently the SPARK Institute formed a Data Security Oversight Board (DSOB), comprised of both recordkeepers and members of the plan adviser community. The original focus was described as “trying to create a data security standard that all industry players needed to meet.”

However, the organization quickly realized that one overarching standard was not only unattainable, given the different security frameworks each recordkeeper or advisers uses, but also was bad security policy: If that one standard was breached then everyone’s systems would be at risk. In the end, the board of experts chose to recommend standardization of how security capabilities are reported, so the plan sponsor would have a uniform way to better compare each vendor.

The full Corporate Insight report can be downloaded here.