What Plan Sponsors Need to Know About DC Plan Cybersecurity

For most of the past decade, cyberattacks have been on the rise.

In 2015 alone, more than $1 billion in losses were reported, according to the FBI’s Internet Crime Complaint Center. It is not unreasonable to assume that eventually retirement plans would make tempting targets for cybercriminals. After all, personal data is the lifeblood of any benefit plan. The flow of this private data between parties, internally and externally, is what makes a benefit plan tick. It also makes these plans unique targets that many organizations—even those with enterprise-level cybersecurity policies—have not considered.

While we know that cyber threats cannot be eliminated, they can be managed and minimized with proper planning. In addition, equally as important as preventing a cyberattack is being ready to respond and recover from one.

To combat these concerns, the ERISA [Employee Retirement Income Security Act] Advisory Council looked into best practices and considerations for benefit plans. One of the most notable conclusions is that cybersecurity for benefit plans can’t be “checklist driven.” Given the number of variables that can be present, it is an issue that each organization needs to address individually. Therefore, the report focuses on a framework that organizations should follow in establishing and reviewing the cybersecurity policies for their benefit plans.

Gathering the Right Resources

Human resource (HR) and payroll professionals will be the employees who handle and transmit defined contribution (DC) retirement plan information most; however, they are usually not trained cybersecurity professionals. Typically, an organization will have one person who is responsible for the cybersecurity policies for the whole firm. A best practice is to involve this person in the discussions about the security of plan data. At the risk of creating a turf war, we believe it’s important that someone with knowledge of current cybersecurity threats and prevention methods be involved in the conversation. Ultimately, the size, scope and complexity of your cybersecurity plan should be consistent with the size and complexity of your organization and benefit plan structure.

Identifying What Data Is at Risk

A common misconception about cybersecurity and benefit plans is that the cybercriminals are after the assets in participants’ accounts.

While in some cases that’s true, there is an easier target—the participants’ private data. Understanding what data is at risk, how it is transmitted, and to whom, is an important part of protecting it. Sponsors should ask the following questions:

• What private personal information is used in the administration of the benefit plan?
• What is the origin of this data, and where is it stored internally?
• How is access to this data controlled internally?
• How often is it transmitted outside the organization and by whom?
• How is the information transmitted?
• What parties receive this data, and how do they secure it?

It is important that organizations look closely at where this data is stored and who has access to it. In one recent case, a payroll analyst was sick and logged in to complete payroll from home. To avoid a late deposit, the person downloaded the 401(k) transmittal file onto a personal computer, which had been compromised, before loading it into the plan website. In doing so, he not only exposed the file, but also his login credentials to the plan website. This was a failure of policy, control and education on the part of the plan sponsor. If any of the three had been in place, meaning if the plan sponsor had a policy against using personal computers, a control to monitor usage of personal computers, or even if the employee had been trained on the risks, the breach may not have occurred.

Establish a Policy

The U.S. Department of Commerce, along with the National Institute of Standards and Technology (NIST), developed a standard framework for reducing cyber risks. The key components of that framework are:

• Identify. Once you understand what data can be exposed, work to identify ways that data could be exposed and compromised. Pay careful attention to third-party vendors and identifying the weakest link.
• Protect. Develop physical and virtual safeguards as well as policies and controls to protect against the threats identified above. A key component of this is training employees who have access to personal plan information about the threats and about ways to prevent cybercrime.
• Detect. Establish how breaches will be detected. Who will be responsible for this task within the organization? Is a third party necessary to detect potential breaches?
• Respond and recover. In the event of a breach, what steps will be taken to address its short- and long-term impacts? Who will be responsible for the coordination of the response and recovery? The response aspect deals with how the organization will communicate the breach to those affected, as well as what resources will be provided. The recovery aspect deals with how any systems that were breached are secured, or in the event of a total failure, restored to service.

Research Third Parties and Their Policies

Third-party vendors can pose a substantial risk to private information. It is important that plan sponsors reach out to their vendors and understand what their cybersecurity policies are. This is especially important for smaller vendors. Large recordkeepers typically have dedicated cybersecurity teams, but smaller third-party administrators (TPAs) and brokers may not.

It’s important to note that some providers may be uncomfortable sharing all details of their cybersecurity practices. Most should be able to provide a summary document, however. A good place to start with large organizations is asking for both a SOC [Service Organization Controls] 1 and a SOC 2 Report. SOC 1 deals with internal controls over financial information. SOC 2 deals with the controls on private information.

Insurance Considerations

Cyber insurance policies are quickly becoming a standard for most organizations. It is important to understand the type of coverage you have. First-party coverage, for example, typically allows the organization itself to trigger a claim upon learning of a breach. Third-party coverage, however, is dependent on a lawsuit from a third party to trigger a claim. Carefully consider what is and is not included in your cyber insurance policy, as it is likely that it will play a large role in your response and recovery efforts.

Implementing DC retirement plan cybersecurity can take time and effort. However, in the end it’s worth it. Plan sponsors that take cybersecurity seriously are less likely to see their participants’ assets and personal information affected by a successful cyberattack.

Andrew Zito, AIF, is executive vice president, retirement plan services, at LAMCO Advisory Services, an independent retirement plan consulting and advisory firm.