What’s at Risk in a Cyberattack on a DC Plan?

Every organization working with a defined contribution plan shares the responsibility for protecting from cyberattack the data, reputation, trust and $10.2 trillion of accumulated assets in retirement plans. Safeguarding DC plans from digital security issues does not end with ensuring criminals do not steal workers’ nest eggs, explains Gregg Levinson, senior director for retirement at WTW.

“The risk is substantial: It is the integrity of the defined contribution system, broadly,” he says. “For vendors, it is their own integrity [and the] ability to protect their assets and their business model, [whereas] for employers, it is being able to also protect their employee assets and their employee relations.”

The risks were highlighted this year when a breach of the encrypted file transfer software program MOVEit, owned by Progress Software Corp., hit financial firms, including asset managers and retirement plan recordkeepers, universities, the U.S. federal government and California public retirement systems. Related litigation against several of the affected firms remains pending, and additional vulnerabilities of Progress Software products continue to come to light.

For corporate business leaders, guarding against online threats is—for the ninth straight year—among the top three business concerns for leaders. Some 58% of 1,200 representatives of companies of all sizes worry some or a great deal about cyber risks, ranking vulnerability to attack just below medical cost inflation (60%) and broad economic uncertainty (59%), found the 2023 Travelers Risk Index, published on September 26.

Overall cyberattack statistics demonstrate that risks and concerns go well beyond the workplace. Computers of are infected with malicious software; 47% of U.S. adults have had personal information exposed by cybercriminals; and the Facebook accounts of 600,000 individuals are hacked every single day, according to data from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

What Is at Stake?

The risks can affect any organization. In addition to private employers, public sector employers and their retirement plans also grapple with a broad variety of digital risks to the accumulated retirement plan assets held by state and local government employees, says Matthew Petersen, executive director of the National Association of Government Defined Contribution Administrators.

“What’s at risk is really as broad as the different types of attacks that are out there, and they do run the gamut: from actually taking money out of an account to getting personally identifiable information and passwords that you could use to trade on the dark web or access other types of accounts,” Petersen says. “The risk is broad; the risk is hard to measure. It can touch any aspect of the organization and any aspect of the [DC] plan.”

More than half of business leaders surveyed by Travelers say it is inevitable their business will be a victim of a cyberattack. Allison Itami, a principal in Groom Law Group, says the risk for plan sponsors ranges widely.

“The data is at risk, assets are at risk, the reputation of the plan sponsor can be at risk or [that of] the service provider,” she says. “Also, fundamentally, the trust or the goodwill and the relationship can be at risk: There is a lot on the line if somebody were to lose access to their retirement savings.”

Protection Plan

Defined contribution plans can bolster their own support systems by committing to specific obligations. For cyber-risk oversight, writing the process into the plan charter is important, Levinson explains.

“Smart practice, and what we advise clients on, is to incorporate cybersecurity into [the] fiduciary oversight model and make sure [DC plans are] following key steps both from a process standpoint, an IT standpoint and [down the line],” he says. “But it is not just an HR issue. It is an IT issue, it is a business issue, it is a communications issue.”

For DC plan sponsors, incorporating cybersecurity response processes into the plan’s governing documents is the most important facet of cybersecurity oversight, should a breach occur, Levinson says, adding that WTW recommends plan sponsors have their own cyber policy similar to an investment or compliance policy.

Protecting the DC plan is a multi-pronged process, but “it starts with retirement plan committee awareness,” says Larry Crocker, founder and CEO of Fiduciary Consulting Group Inc. “One of the things that is recommended [for DC plans] is IT being involved in committees; if not a member of the committee, then at least periodically attending the committee and becoming a part of the [retirement plan] review process,.”

Participants are also responsible for taking cybersecurity seriously and observing proper protocols to maintain diligent systems.   

Notwithstanding “all the great systems in place, if an employee gets phished and clicks on it, [the systems do] not matter,” Levinson explains. “It all falls apart.”

Education is key to supporting the efficacy of government and corporate systems put in place, adds Levinson. “[DC plans] have to put a lot of systems and processes in place and have employees [who are often also plan participants] be vigilant against it; all have to work together to make it work,” he says.

Essential Stress Testing

Corporate and government plan sponsors should also explore mitigating the risk of cyberattack by stress testing plans in transactional audits, notes Levinson.

He explains that transactional auditing involves running through a transaction and, if there is an incident, noting what steps the provider will take, what steps the organization is going to take and how they match up with each other?

“It is a hypothetical: If an incident were to happen, what happens? Making sure that you as the plan sponsor are satisfied with your vendors’ response times, their answers to your questions—all those things—so that if something happens, you know what is going to happen and you are satisfied with what is going to happen,” he explains.

Stress testing the DC plan, with an audit of transactions “should be part of the committee’s responsibility,” adds Crocker.

Plan sponsors should consult the guidance of the Department of Labor’s 2021 cybersecurity best practices as a good place to begin, adds Levinson. Using the DOL guidance to educate participants also makes sense, according to Groom’s Itami.

Vulnerabilities

Examining a plan sponsor’s digital vulnerability will expose conditions that mitigate or exacerbate the risks, according to Crocker. The plan sponsor should execute its oversight responsibility by stress testing the plan recordkeeper periodically, he says.

“The risk is generally around the recordkeeper and having the employees’ accounts hacked or it’s to the recordkeeper and the employer with fraudulent distributions,” says Crocker. “That is the hub, [because] that is where the participants’ accounts reside.“

But the entire chain of cyberattack prevention and protection is only as strong or weak as each link, Petersen explains.  

“Anywhere in the chain of custody of information, there is vulnerability,” he says. “Whether you are talking about the end user—the person actually trying to access their account—whether you are talking about the administrator themselves, whether you are talking about a party who is connected to the administrator through software, there are really any number of vulnerabilities throughout the system.” 

Implementing, maintaining and reminding every partner to a DC retirement plan and participants themselves to observe “good cyber hygiene” remains critical, Petersen adds.  

“It is why we all do the training; it is why almost every government has some sort of cybersecurity training for the people who are touching the system to be able to use,” he explains. “It is really vigilance at all levels.”