Updated with correction
As technology in defined contribution expands, so do concerns about cybersecurity, sources said — as much for the participant data that plan sponsors and record keepers hold as for the assets they're managing.
"It's an issue across the board that needs to be closely monitored and addressed," said Sabrina Bailey, director, digital investment advice, Northern Trust Asset Management, Chicago. "The data is already held by record keepers. Data already is in the system. It's just not being used today. There's a lot of idle data about a person. The risk is already there."
Added Bart McDonough, CEO and founder of Agio, a New York-based cybersecurity and information technology provider to the financial services industry: "In some ways, DC plans are tougher to hack because they don't have as much free-flowing exchange of cash as other accounts do, so you're not as able to intercept that. With DC plans, it's more extractive. But they're still a target because they hold a lot of information about participants. That's quite valuable for people to extract money or to sell that information on the dark web."
At record keepers, as with investment management firms in general, Mr. McDonough said "there's a higher level of breach attempts … to use of the knowledge of prior transactions made by plan members and account holders that can be used to do social engineering." In such social engineering, hackers try to avert suspicion by mimicking a individual's routine financial behaviors with the intent of hiding illegal transactions.
"It's like when you order a package," Mr. McDonough said. "When you see a brown truck and a driver in a brown suit carrying an Amazon box, you open the door. If you see a beat-up truck, a driver in sweats and a damaged Amazon box, you call the police. Hackers look at job descriptions, past financial activities, and use that to make themselves look as much like you as possible to an investment manager. If you're expected to transfer money at a certain time, they can expect it and hack into an account to get that money."
While most record keepers have "deep benches" of information technology professionals to secure systems that collect DC participant data, those firms still have different levels of technology, which should concern plan sponsors, said Marina Edwards, senior consultant, Willis Towers Watson LLC, Madison, Wis.
"In those ABCDs of technology (artificial intelligence, blockchain, cloud-based systems and digital delivery), part of cybersecurity is why does an employer care about this?" Ms. Edwards said. "If those ABCDs aren't state of the art, they want to know what's the risk. Hackers can take over these 401(k) accounts, which are not insured. And while most record keepers have cyber insurance and fraud policies, like with cybersecurity, not all are the same. Do they have make-whole policies? Who makes the participant whole in case money is removed in a breach? Most record keepers have fraud policies that replace 100%, but some replace less."
Ms. Edwards said there's often a disconnect between plan sponsor cybersecurity staff and fiduciary committees over understanding the threat of hacking and what it means.
"The maturity and knowledge of what to look for on cyber issues is stronger with the cyber team versus the maturity and knowledge of cyber issues by the fiduciary team," she said. "Why is that a big deal? The fiduciary committee has the fiduciary responsibilities. Committee members could be held personally responsible if there's a loss from a hack under ERISA."
An example, Ms. Edwards said, is a federal lawsuit filed in 2016 and amended in July by participants in Nashville, Tenn.-based Vanderbilt University's 403(b) plan. The suit alleges that the university breached its fiduciary duties by giving third parties participant data to market services to them.
"They claimed the plan sponsor didn't care as much for plan data as it did for plan assets," she said. "If that court rules plans have to care for data as much as they are required to do for plan assets, they can be held personally liable."
Willis Towers Watson is working to get their DC plan sponsor clients to develop a cyber fraud policy, a three- or four-page document that's part of a final plan document that maps out what plan sponsors must do to protect information, Ms. Edwards said. "They should also set up a risk-management strategy including a fraud policy that establishes how data is transferred to record keepers and their duty to monitor record keeper cybersecurity, so we know they completed the due diligence of the provider. We also recommend a review of insurance coverage."
Even if a company's record-keeping unit isn't found to have suffered a breach, there's reputational risk when an unrelated business is hacked, said Agio's Mr. McDonough, citing the $1 million settlement reached Sept. 26 between the Securities and Exchange Commission and Voya Financial Advisors, the retail wealth management brokerage unit of Voya Financial. The SEC said intruders impersonating Voya Financial Advisors contractors called VFA's support line and requested that the contractors' passwords be reset over a six-day period in 2016. The intruders used the new passwords to gain access to the personal information of 5,600 VFA customers.
Mr. McDonough said Voya's DC record-keeping business was not involved, but there was a weak link elsewhere at Voya. "People infer that if A is weak, B must be weak," Mr. McDonough said. "If I'm a hacker, I'd say full speed ahead at going after their other business. People get breached, and many handle that very well. I want to work with those firms. But other firms were intellectually bankrupt on their cybersecurity."