Pension Information Security: Technology is Changing the Game and Plans Must React

However, it is vital that information security is not overlooked in the transition. 

Scarcely a month passes without a new corporate data breach making headlines. Notably, in May, eBay took the spotlight, as it announced 233 million of its users could be at risk of identity theft after their personal data were stolen in the world’s biggest online security breach. The pensions industry has, to date, largely been shielded from such cyber threats given its traditional use of paper- and spreadsheet-based reporting and valuation methods. Yet the landscape is quickly shifting. An increasing number of pension consultants and advisers are now offering web-based analytics as part of their services, driving a considerable increase in the volume of pension information accessible on the Internet.

Of course, this evolution in the way the pensions industry measures and manages risk should be celebrated. Yet, use of these systems may also drive increased security risks that are not immediately obvious to plan stakeholders, but are of vital importance given the sensitive and confidential nature of the data contained in and exposed by the systems to the Internet and its billions of users.

Cyber security breaches: what are the real risks for pension plans?

The key threat to pension plans is that sensitive data will be obtained by hackers passing system defenses and harvesting it for malicious or unintended purposes. Imagine if your plan was running a confidential project and this was leaked to participants, unions and other potentially hostile employee factions, local politicians or unfriendly investors at a crucial stage in the project—the impact on the plan, its sponsor and its members could be extremely damaging.  Indeed, even a simple “what if” scenario, made publicly available, could have unfortunate consequences.

With technology usage in the pensions industry still in its nascent stage, actual cases of pension-related breaches remain rare, although not completely unheard of. Back in 2012, Serco, the third-party provider responsible for securing private information for the Thrift Savings Plan—a defined contribution retirement savings plan for Federal employees—announced that it had been breached, exposing data on 123,000 employees of the Federal government, including names, addresses and social security numbers.

For corporate sponsors of pension plans, breaches of information security may also have wider implications. The case of U.S.-based payment processer Heartland Payment Systems is perhaps the most notable example. In January 2009, Heartland announced that a hack of its network in late 2008 had resulted in the loss of some 130 million payment records. Within days Heartland’s share price had halved; by March that year, at its lowest, it had lost 78% of its pre-breach value. Given the size and importance of many corporate sponsors’ pension plans, combined with the sensitivity of the data they store, this wider financial impact should be noted.

What can plans do to protect their data?

First and foremost, plans must make sure that they have the right internal processes and security standards in place to protect themselves. Thereafter, when transitioning to a web-based system, plans should:

• Check information security standards of the company providing the system;
• Involve IT or procurement departments to ensure appropriate due diligence and assessment is performed before valuable information is exposed to the world; and
• Make sure technology providers are performing continuous information security testing on their systems.

It is important that contracts are amended when plans begin to move their data online—and this should require the involvement of IT departments, which can test the new systems themselves and ask pertinent questions of the third-party provider. A sure-fire way of guarding against information security incidents is by carrying out an audit of plans’ providers of web-based analytics systems, checking whether technology is compliant with a number of key data protection requirements (such as the ISO27001/ISO27002 standards).

Technology providers—whether this is advisers, consultants or specialist technology firms—should also be doing their own due diligence, and implementing policies and procedures to ensure that information security is adopted and policed throughout their organizations. Regular information security awareness training, adequate vetting of third-party suppliers and thorough security testing are important building blocks of a holistic approach to the issue. In particular, providers should be regularly exposing their software to penetration testing, which involves employing an external independent party to try and professionally hack the system. At this stage, such tests will also review the vulnerability of the software to hackers corrupting, harvesting or monitoring data.

There is no doubt that the proliferation of online analytics is a huge step forward for the pensions industry. Yet this step should not be taken lightly, and it is up to individual plans to protect themselves against a data breach that may cause them to suffer unforeseen and unpleasant public consequences when their confidential information becomes a weapon in the hands of those who can profit from it.

Matthew Seymour, managing director at RiskFirst, a financial technology business providing risk analytics and reporting solutions to the pensions and investment market