How Plan Sponsors Can Combat Cybercrime

A panel hosted by the National Institute on Retirement Security explained that all pension plans are at increased risk, especially plans for public employees, and discussed ways that plan sponsors can mitigate their risk.

Pension plans for public employees are at a much higher risk for cybersecurity breaches than private plans, although private plans face plenty of risk themselves, according to an expert panel hosted by the National Institute on Retirement Security yesterday.

The panel featured Peter Dewar, president of Linea Secure; John Rosenburg, an information security officer at the New York State Teachers’ Retirement System; Michael Kreps, an attorney and co-chair at Groom Law’s Retirement Services & Fiduciary Group; and Jefferey Saiger, the chief technology officer at Illinois State Universities Retirement System.

The panel agreed that public pensions are more susceptible to attack and breach by cyber fraudsters. Kreps argued that public employees’ plans have a “unique vulnerability” because so much of their personal data is publicly available through internet searches by merit of their government employment. This data can then be used to narrow down the remaining information required to take over their retirement account by stealing their identity.

Saiger added that even public records requests, or FOIA requests, are a risk to the security of public systems since they can be used to acquire needed payroll information about public employees and have been used successfully by fraudsters in the past. “We are a ripe target unfortunately,” Saiger said.

The panelists also agreed that though public plans have unique risks, this is a general—and rising—challenge in the industry.

Saiger says the “bad guys are doing their research,” and even if you are paper-based they will submit the paperwork and change of address requests. “They are very well informed, they are viewing this as a business opportunity.” The put in the work and don’t take short cuts, because the opportunities can be so lucrative.

Rosenburg warned that account takeover attempts are becoming more frequent, and that knowledge-based verification, such as asking a client to state their address or phone number, is not as solid as it once was, since fraudsters have access to personal information. He explained that retirement cybersecurity professionals need secondary controls, such as requiring a personal PIN or account number that would be not publicly available.

Kreps explained that his clients are spending a lot of resources on cybersecurity insurance, and that for some the costs of premiums are so high that they have abandoned insurance altogether.

He also cautioned that insurance coverage is very limited, so plan sponsors need to be careful and closely read their plan to understand what is covered and what is not. For example, some insurance policies may only cover you if you require participants to change their passwords every 30 days, and can deny claims on the basis that a plan did not require it. Kreps recommends that providers have access to legal counsel who can explain their insurance plan to them if they are unsure if it is a good value or not.

The panelists offered some recommendations for added cybersecurity.

Rosenburg emphasized that coordination between departments such as IT, risk, legal and cybersecurity is essential to prevent information from being siloed off between them. Regular interdepartmental meetings should be encouraged. He also recommended annual security assessments, and hiring an external service to bring “another set of eyes” to your assessments.

When it comes to training staff at call centers, Rosenburg says that fraudsters will often try to manipulate staff into offering pieces of information that the fraudster lacks, such as by suggesting an answer or appearing sympathetic or forgetful in order to solicit missing pieces of identifying information. It is essential that employees working in customer service be trained to recognize these manipulation tactics, but also be sympathetic to the fact that some clients may be losing their memory or other mental faculties as they age.

On the subject of legal liability, Dewar explained that the Department of Labor requires employers to take certain steps to remain compliant with the Employee Retirement Income Safety Act. Kreps, the only attorney on the panel, confirmed this, and although, “Congress has not figured out how to tackle the issue,” DOL audits ask cybersecurity questions and ask what protections plan sponsors have in place and what they require of their service providers.