Asset owners demand info on cybersecurity processes

Insufficient cybersecurity is becoming a deal breaker for firms that provide investment services to defined benefit and defined contribution plans.

An increasing number of requests for proposals now require firms to detail their cybersecurity procedures, the result of heightened concerns of the potential for data breaches and hackers.

“There are differences in cybersecurity procedures among providers, but now this has become an important part of everyone's due diligence,” said Gregg Sommer, Chicago-based principal and head of operational risk assessment at Mercer Sentinel, the investment operations consulting business of Mercer LLC. He said that what once was considered only best practice among asset owners, with due diligence focusing on only the largest money managers, is now “a market practice, where cybersecurity information is required by all plans from all providers.”

“It's no longer a question of whether (a provider) has cybersecurity procedures or doesn't,” Mr. Sommer said. “The issue is how extensive they are.”

Said David Holmgren, chief investment officer of Hartford HealthCare, Hartford, Conn.: “Cybersecurity is becoming a bigger issue (and) is a huge component of all our RFPs.” As a health-care provider, Hartford HealthCare has a heightened sensitivity to data security and confidentiality rules, he noted. “We apply this scrutiny on cybersecurity to all our contracts, including those providers for pension plans,” Mr. Holmgren said. Hartford HealthCare has $3 billion in pension, insurance and endowment assets.

Due diligence is crucial before asset owners even get to the RFP stage, said William Atwood, executive director of the $13.1 billion Illinois State Board of Investment, Chicago. “One of the things we rely on in cybersecurity is our early due-diligence process in seeking providers,” Mr. Atwood said. “We want providers with a strong technology base who understand and are sensitive to the need for data security.”

“We're seeing more and more security issues addressed in RFPs,” said Michael Pillion, Philadelphia-based partner at Morgan, Lewis & Bockus LLP. Mr. Pillion said there also are “more negotiations on adding data security terms. There's more attention to detail (in data security). It's something that's developing and will continue to.”

The potential for internal breaches also should concern asset owners, said Marla J. Kreindler, partner at Morgan, Lewis in Chicago.

Among the issues Ms. Kreindler cited: hackers accessing trust accounts and creating fraudulent billing accounts to draw assets; the use of passwords by multiple plan participants; and fraudulent e-mails that try and glean information from plan employees or participants.

“Ultimately (data security) is still the plan sponsor's responsibility. They can't just contract out responsibility for data breaches to third parties. ... It's not just about the contract. It's who is the plan sponsor choosing as a service provider. What due diligence has the plan sponsor done on the provider on important data questions, like who manages their server? Is it the provider or a third party? And is the server or the provider in another country? Those need to be known by the plan sponsor in the RFP process and then details about this have to be addressed and locked down in the contract,” Ms. Kreindler said.

Asset owners' concerns over providers' data security appear to be well founded.

According to a report released last week by the Securities and Exchange Commission, 74% of money managers and other registered investment advisers surveyed said they've been the subject of a cyber-related incident directly or through their external providers.

Also, while 79% of respondents conduct periodic risk assessments to identify cybersecurity threats and potential business consequences, only 32% apply those assessment requirements to their outside vendors.

Money managers and other service providers are responding to RFP requests for cybersecurity details, said Freeman Wood, principal at Mercer Sentinel in Chicago. They are, for example, detailing how they're proactively testing internal controls to fight cyberattacks. They're also vigorously scrutinizing their outsourced vendors, which Mercer Sentinel's Mr. Sommer said is a new phenomenon.

Managers' third-party providers under review include custodians, fund administrators and other middle- and back-office providers and “any organization that has a firm's confidential information — client information, portfolio information into possible trades — and actual access to money through any means, not just the ones you would think of,” Mr. Sommer said.

He cited the 2013 Target Corp. data breach, which eventually was discovered to have come from a computer of a heating and air-conditioning firm under contract to the retailer. “It's any vendor, providing any service, that has a link to that firm's data.”

A greater focus — and one often overlooked — is physical security, Mr. Sommer said. “With so much business activity now being done outside the office, it's encrypting laptops and personal devices, but it's also securing against access to a company's server. Outside office access is now integral in our reviews of provider security.”

Breaches can also be accidental but still risky, said John Barlament, partner, data privacy, at Quarles & Brady LLP, Milwaukee. Last month, a third-party administrator for DB and DC plans accidentally disclosed Social Security numbers, account balances and other information from participants in one company plan to another plan, which automatically downloaded the information into its database. “The vendor had one site where all clients could access via password,” Mr. Barlament said. “That was totally inadvertent, with no malicious intent. It wasn't a case of a disgruntled employee. But regardless, it was a data breach.” He would not name the parties involved.

William Stone, CEO of financial services software and fund administration service provider SS&C Technologies Inc., Windsor, Conn., said a big concern for providers “is from within. It's more likely that employees can get into systems. That's why you need strict monitoring ... to be able to spot suspicious activity.”

“You also need layers (of security). First the walls, then the moat, and then the people with the shotguns.”

Keith Overly, executive director of the $9.7 billion Ohio Public Employees Deferred Compensation Program, Columbus, has internal concerns over data security because record-keeping is done in-house. Among the program's internal security checks is an audit by an accounting firm every two years that looks at the plan's “physical and electronic security. They actually try to breach our system. The good news is that they haven't been able to.” n