Provider Due Diligence: Key to Avoiding Catastrophic Cyberattacks

With the increased frequency of cyberattacks, including within the retirement industry, plan sponsors have a fiduciary responsibility to ensure that providers with whom their plans are working are taking cybersecurity seriously.

The recent breach of the encrypted file transfer software program MOVEit, which exposed the personal information of participants via financial firms, universities, the U.S. federal government and the California public retirement systems, brought to light the far-reaching implications of a data breach, even though it occurred at a vendor, rather than a plan sponsor.

It also emphasized the importance of conducting in-depth requests for proposals, as well as annual due diligence, when considering plan vendors. In the MOVEit case, class action lawsuits have been filed against companies due to breaches suffered by servers run by other companies. Incidents can affect plan sponsors, even when they occur several layers of business away from the plan sponsor itself.

Screening for Cybersecurity in the RFP

Robert Massa, managing director at Qualified Plan Advisors, says the RFP process is crucial and that plan sponsors should be asking a series of questions to ensure a vendor’s cybersecurity practices are up to par. A vendor in this context could be an adviser, recordkeeper, custodian or any type of service provider.

In the RFP template Massa provides to his clients, it first asks any vendor to detail its firm’s policies, procedures and data encryption. This includes tools that the vendor uses to prevent unauthorized access, fraud, theft and misuse.  

Massa says he also asks vendors if they have ever experienced a breach and, if so, how they handled it. He says vendors sometimes do not want to answer that question, but plan sponsors have a fiduciary responsibility to know what has happened.

“No one should be embarrassed about the fact that they’ve been breached at this point,” Massa says. “It’s more a question of how you handle it than it is the fact that you got hacked. … You want to know what [the vendor’s] processes and procedures are for dealing these threats and protecting that personal, identifiable information.”

For example, Massa says a plan sponsor needs to know how data is stored and how data is received, especially because the sponsor regularly needs to transfer a payroll file that contains names, Social Security numbers, dates of birth, addresses, income numbers and more.

“There’s so much information in there that is critical, and you want to make sure that that data is protected both in transit and once it’s encrypted,” Massa says.

Another consideration that can be screened for in the RFP process is how a vendor deals with a participant who terminates employment and how their access to their payroll account, for example, is deactivated.

“It’s painful, but you’ve got to look at the SOC reports,” Massa says, referring to services organization controls reports. “You’ve got to be willing to roll up your sleeves and look at these audit reports and see what [a vendor’s] third-party auditors have said about their controls.”

A SOC report is governed by the American Institute of Certified Public Accountants and focuses on offering assurance that the controls put in place by service organizations to protect their clients’ assets (data, in most cases) are effective. There are several types of SOC reports, but plan sponsors should mainly be aware of SOC 1 and SOC 2 reports.

A SOC 1 focuses on outsourced services performed by service organizations that are relevant to a company’s financial reporting. A SOC 2 focuses more on operational risks of outsourcing third parties outside of financial reporting.

Paul Catenacci, senior partner in and head of the employee benefits practice group at Novara Law, says some providers will push back when asked about cybersecurity practices and may even ask the sponsor to sign a nondisclosure agreement in order to receive the information.

“On the provider side, they’ve got some legitimate concerns too,” Catenacci says. “They don’t necessarily want to publicize their security protocols. Some are saying [they] don’t want to reveal how much insurance [they] carry, because [they] don’t want to be a ransomware target [if] somebody knows [they] have a $30 million insurance policy.”

But Catenacci emphasizes that the Department of Labor expects employers to make prudent decisions when hiring service providers and that the vendor-vetting process should be well-documented.

“Plan sponsors need to be practical about this and [say], ‘Let’s weigh the costs and benefits,’” Catenacci says. “Certainly it’s a risk we need to manage, but not a risk we can manage in a vacuum.”

He suggests that a plan sponsor could have an IT focus group that helps with vetting service providers, as well as a cybersecurity expert that sits on the plan’s fiduciary committee—if they can afford it.

The Importance of Cybersecurity Insurance

Jon Meyer, chief technology officer at CAPTRUST, says it is crucial for plan sponsors, as well as any suppliers to the plan that process confidential information, to have cyber risk insurance.

“In addition to the financial coverage that cyber insurance can provide, it can also provide a team of really sophisticated experts who can assist any organization experiencing a breach, ranging from forensic information security personnel to lawyers [and] breach and mediation firms that have the scale and the capacity to contact consumers and support them with call centers,” Meyer says.

Allison Brecher, Vestwell’s general counsel and chief privacy officer, said plan sponsors should be aware that there has been a “sea change” in the cybersecurity insurance market since the start of the pandemic.

“Carriers are raising premiums and deductibles and, for some companies, dropping coverage altogether,” Brecher said in an emailed statement. “Plan sponsors should make sure that the service providers’ coverage levels, as well as the deductibles, are appropriate.”

Massa adds that a plan sponsor should ask vendors about their insurance coverage, and he says vendors should be candid about their errors and omissions policy, cyber policy and their access to protection in case of a breach.

Know Your Provider’s Provider

At the very least, Massa says a plan sponsor should ask vendors if the vendor uses any third-party subcontractors.

Hypothetically, a sponsor’s recordkeeper or third-party administrator could share a company’s data with an outsourced provider located outside the U.S. Massa says there is nothing illegal about outsourcing information, but the sponsor needs to know what is being done with that data before making a decision.

A sponsor may know that a vendor sends information to a company in Thailand, for example. If that company gets hacked, Massa says the sponsors needs to know how their employees will be protected against that breach.

“[The plan sponsor] is responsible for selecting that vendor and all the decisions that vendor makes,” Massa says. “Not asking the question and not doing due diligence is absolutely a problem.”

As seen with the MOVEit breach, Meyer explains that attackers are interested in getting into software products used across multiple organizations. If a sponsor hears about a major cyber breach, Meyer recommends they reach out to their vendors and ask if they were affected or if their suppliers were affected.

“Nobody can guarantee with certainty that everything they do is immune from that kind of exploitation,” Meyer says. “But what everybody can do is be really good at knowing their supplier.”

Part of a sponsor’s annual due diligence should include asking vendors follow-up questions, such as if they use any services like MOVEit and what their exposure is.

Educating Participants

As the Department of Labor explained in its cybersecurity best practices, plans need strong control procedures, guaranteeing that any system users are who they claim to be and that only appropriate parties can access IT systems and data.

Brecher said when a bad actor gets access to a plan participant’s login credentials through personal or work email, the bad actor will often log into the participant’s retirement plan account and take a distribution.

“These ‘account takeovers,’ as they are called, have little to do with the service provider, and carriers are routinely denying coverage for that type of loss,” Brecher said. “The best defense is a good offense, and plan sponsors should always be reviewing and reminding their own employees about [the] online security of their accounts, checking their statements regularly and immediately reporting any suspicious activities.”

Meyer says many breaches can be avoided by having multi-factor authentication in place. He says having passwordless security, which might address issues of fraud on the individual participant level, would be less secure than multi-factor authentication. With passwordless security, a participant is emailed a one-time password to use. Because multi-factor requires two steps of verification—a password and then a code—Meyer argues it is more secure.

Telling employees to create complex passwords and putting multi-factor security in place, Massa says, makes it more difficult for hackers to infiltrate accounts and provides an extra layer of protection in case of a breach.