Vendor Process Reviews Are Crucial to Retirement Plan Cybersecurity

A digital security expert says "the behavioral and human element of data protection is always the most challenging part.”

Art by James Yang

Patrick Murphy, CEO of John Hancock Retirement Plan Services, says that from his perspective leading a major retirement plan recordkeeper, cybersecurity has grown in the last five or so years to become a top daily concern.

“Cybersecurity is such a critical topic and it will remain so,” he says. “Knowing this, we now participate in one of the groups organized by SPARK that is designed to create best practices and more commonality in the retirement plan industry when it comes to securing and protecting data. We encourage all our colleagues to do the same.”

According to Murphy, John Hancock and other firms have begun “constantly sharing the information we learn about the fraudsters and bad actors out there” in the interest of better protecting plan sponsors and participants.

“As we identify the evolving types of cyber criminals that are targeting our space, we make sure that our clients and competitors know what is happening,” Murphy explains. “We have to collaborate like this because the bad actors are not just coming at us as a single organizations. They are making a coordinated attack on our whole industry, and so we need to coordinate our defenses. When we help shut down an attack, we know we have an obligation to help others do the same, for the best interest of participants.”

Murphy says that his firm has embraced a multi-level cybersecurity system that is constantly evolving to meet new threats. He adds that genuine cybersecurity comes from a thoughtful and diligently applied combination of technical security protocols and internal processes built around multi-factor authentication, complemented by an overall organizational approach that also addresses the inevitability of human error.

“The network protection is always important but the behavioral and human element is the most challenging part,” Murphy says. “This is where advanced analytics and what we call active intelligence come into play. Take an example where you have had a participant that has for years logged into their account from the same device around the same time of day. Our systems can detect and monitor that, so that when a login attempt comes from another device from a different time that is outside the individuals’ normal behavior pattern, a red flag immediately goes up. It doesn’t mean this is an attempt at fraud, of course, but it does mean we should take an extra step to verify who is attempting to access our system.”

Sponsors Must Carefully Monitor Vendors

According to Bart McDonough, CEO and Founder of Agio, a managed IT and cybersecurity services provider active in the financial services and health care space, many retirement plan fiduciaries do a lackluster job monitoring the cybersecurity performance of the vendors they work with on a daily basis. In his practice consulting on cybersecurity, McDonough sees a lot of “checking-the-box” behavior when it comes to monitoring vendors. 

“We see people sending detailed spreadsheets asking some pretty advanced cybersecurity questions, and they feel doing this allows them to certify that they did some type of vendor review,” he says. “From our perspective, this kind of exercise is actually a waste of time and energy. We can say from experience it just doesn’t work. Real security is not a check-the-box item—it takes diligence to figure all this out.”

Looking across the financial services landscape, McDonough says, pretty much every provider can do a good job responding to these questionnaires.

“Where the real distinction comes in is when you look at specifically how technology tools and solutions are being used by one firm versus another,” McDonough explains. “Take the use of the very popular Salesforce customer relationship management system. The real security variable is not whether or not you use Salesforce. Rather, the security variable is how well the program is configured, used and maintained. There are 100 Salesforce configuration options that can make the platform more or less secure.”

McDonough says it is common to see organizations playing it fast and loose in their implementation of client services technologies that could be made far more secure. He pointed to the example of one of the largest banks in the world allowing 20 or more employees to share a single set of login credentials in sensitive systems.

“When someone new joined the team, they got the password,” he says. “When someone left the team, the people who stayed behind didn’t change the password. That’s the kind of human element we’re talking about.”

Accidents Are Just as Problematic as Attacks

According to McDonough, many organizations have put cybersecurity contingency plans in place to respond to malicious attacks, but fewer have addressed the fact that as many as half or more of cybersecurity incidents do not involve any bad actors.

“You may or may not be surprised to learn that accidents and non-malicious errors are a major source of cybersecurity incidents in the financial services industry,” he says. “I can think of a client we were working with just recently where an HR associate lost a laptop that had a tremendous amount of sensitive data on it. Everyone is always so focused on the bad actors, but there are so many stories in which the damage is entirely self-inflicted.”

To be clear, the category of “cybersecurity accidents” in this context does not include such incidents where an employee unwittingly opens up a malicious email or link. In such a case the employee does make a mistake, but there is still a bad actor that initiated the potential breach through “phishing” efforts. Rather, cybersecurity accidents are just that—issues that begin with no bad actor or intention of wrongdoing.

“I think it’s helpful to think of the analogy that accidents do far more damage in peoples’ homes each year versus robberies or arsons. The same idea is true in the cybersecurity space,” McDonough says. “It doesn’t take a criminal or a bad actor to be involved for a serious problem to occur.”

Strong Processes Protect Plan Sponsors

Murphy and McDonough agree that cybersecurity is all about process. Process means such things as regularly reviewing the privileged accessing of data and the use of that data across the organization. It means conducting regular reviews of the list of active administrators and their responsibilities and activities. It means tracking ongoing cybersecurity efforts through a detailed security log.

“The cybersecurity threats always evolve, but the attributes of really secure organizations remain the same,” McDonough says. “They enthusiastically embrace the need to conduct penetration testing and the need to train their people about the risks of ‘social engineering’ and other sophisticated phishing efforts. If you think back to all the big headline hacks of recent years, I can think of only one, the Equifax hack, that didn’t start with social engineering that took advantage of the human element. That’s the only one that started with a pure technical hack.”

For its part, to address the human element, Murphy says John Hancock Retirement Plan Services has embedded solutions and analytics systems behind the scenes that are proactively identifying bad behavior that is not actually trying to compromise the network from a technical perspective, for example when a fraudster pretends to be a real participant.

“Overall we’re actually less concerned about a technical breach of our systems than we are concerned about the potential for fraud that exists when participants aren’t practicing good cyber health on their own,” Murphy says. “They may be sharing passwords or using repetitive passwords, or they may have very weak passwords that they never change. For us as providers, advisers or plan sponsors, this situation means we have to be extra vigilant. These types of analytics tools are becoming much more prevalent in the retirement plan industry today, and we’re very happy to see that.”