Plan Sponsors Have Myriad Responsibilities to Protect Against Cyberthreats

If Department of Labor guidance for plan sponsors, fiduciaries, recordkeepers and participants on best practices for maintaining cybersecurity is the start, then finding the best way forward is the puzzle for employers.

From July 2019 through December 2021, there was a 65% increase in identified global exposed losses (loss that includes both actual and attempted loss) from email compromise attacks, which often target both individuals and businesses who perform legitimate transfer-of-funds requests, according to Federal Bureau of Investigation data included in a bulletin earlier this year.

The FBI data shows 241,206 domestic and international incidents from June 2016 to December 2021, totaling an exposed dollar loss of $43.3 billion.

Account takeover attacks, in which a hacker accesses an existing account using stolen credentials, have affected 22% of U.S. adults, more than 24 million households. Costs are estimated at $11.4 billion in total losses from breaches in 2021, according to a September brief from Pi by Paytm Labs, a machine-learning-powered fraud risk management platform.

While ransomware threats are now the most acute risk in the cyber-attack landscape, the threat landscape changes continually and demands constant vigilance, explains Tim Rouse, the executive director of the SPARK Institute, a Washington D.C.-based nonprofit and advocate for recordkeepers and the retirement industry.

SPARK members, in recent years, focused the most attention on protecting plan data for plan sponsors, but this has changed in the last four or five years, he says.

“We started, for the first time, to see the criminal actors utilizing data to then get access to the participants’ retirement assets, which was very alarming,” explains Rouse.

Cyberattackers used go after an individual’s personally identifiable information, he says. Attempted perpetrators “started to use that personal identifiable information to then get into retirement accounts and into other accounts, too,” Rouse adds. “Each [SPARK] member firm started to put in protections on their own, but then our data security oversight board got together and worked on fraud best practices, and we implemented those about four years ago.”

SPARK’s Data Security Oversight Board’s recommendations for fraud prevention include using multifactor authentication, and they provide guidance on penetration testing, a process whereby a “white-hat hacker,” is hired by a company to expose a plan sponsor’s internal IT system weaknesses, Rouse says.  

Brenda Sharton, a partner in the Dechert law firm and co-chair of its global privacy and cybersecurity practice, says the most critical processes and procedures for plan sponsors to have for cyberattack protections are as follows:

• Extensive and ongoing training for every employee;
• Requiring that security-system logins have multifactor authentication; and
• Ensuring cyberattack insurance is current, covers ransomware and does not include a war exclusion provision.

“Most threat actors, including the most sophisticated ones, get in through phishing emails, and there is no limit to the training that you could do—you’re only as weak as your weakest employee, and you want to have that happen at all levels,” she says. “[In] over two decades … every single year, the cyberattacks go up and to the right in terms of frequency and sophistication, and never have we seen a more dangerous environment.”

There are many different types of cyber insurance for employers to evaluate, including multiple types of coverages.  

“Ensure that there’s no act-of-war exclusion, so that the insurer can’t then say, ‘It was a nation-state threat actor, so we’re not paying for this,’” adds Sharton. “When [plan sponsors are] renewing cyber insurance, [they must] make sure they focus in on that clause and that the insurer doesn’t try to use it..”

The Federal Trade Commission has also compiled tips for evaluating cyber insurance on a government website.

Additionally, plan sponsors must have a robust incident response plan in place and ensure it is written down somewhere, says Sharton: “Ask yourself, ‘Does everybody know exactly what they need to do and what they should be doing in an incident?’ And then keep a paper copy with contact information, [including] who are you going to call and who’s supposed to be doing what?”

Sharton identifies the most critical attack threat currently faced by plan sponsors as ransom attacks that compromise vendors or third-party partners.

“We’ve also seen an uptick in nation-state attacks, but [plan sponsors are] less of a target for that type of threat actor,” Sharton says. “Then, lastly, insiders are always an issue that they should have on their radar screen as well.”

In 2023, she expects cyberattackers to use a mix of old- and new-school tactics, Sharton says.

“[Attempts include] drop[ping] thumb drives in the elevator banks or in the lobby to see if somebody picks one up,” Sharton says. “They’ll try to get into a[n office] premises—because [at] many work environments, there’s been many new hires during COVID[-19], and if they’ve had a hybrid [work] situation or people haven’t been coming into the office, it’s easy to get in and tailgate [by pretending to be] new.”

Steven Rabitz, co-chair of Dechert’s employee benefits and executive compensation practice and leader of the national fiduciary practice, advises plan sponsors to start with the DOL guidance and, from there, proceed to fill in the blank space to protect their plans. Plan sponsors must understand the DOL guidance also served as a reminder that employers must fulfill their functional fiduciary duty with respect to plan and participant data, he explains.

 The DOL’s 2021 published guidance was the agency reaffirming the risk from vendors improperly protecting information. It reflects a greater focus by the regulator on cyber security protection for retirement plans, Rabitz says, because the DOL outlined the responsibilities of a retirement plan fiduciary with respect to participant and other plan-related data.

The DOL stated that fiduciaries have an obligation “ensuring that electronic recordkeeping systems have reasonable controls, adequate records management practices are in place, and that electronic disclosure systems includes measures calculated to protect personally identifiable information,” Rabitz wrote in an email, citing the DOL’s published guidance.

“[The DOL] has recognized the threat and has tried to signal strongly that it is, in fact, a functional fiduciary duty to make sure that your [retirement plan] data is preserved, that you’ve done appropriate diligence, in light of your fiduciary duties, to ensure you believe that your vendors are safeguarding information,” he says. “Plan fiduciaries and [plan] sponsors do have an obligation to make sure that participant information is appropriately safeguarded, and then how that’s done and the best practices as to how that’s done, functionally, is facts and circumstances.”