Efforts by defined contribution and other employee benefit plans to improve cybersecurity appear to reflect a paraphrase from former Defense Secretary Donald Rumsfeld: They don't know what they don't know.
Although a recent survey showed a majority of DC plan executives expressed confidence in their service providers' cybersecurity policies and practices, cybersecurity specialists and ERISA attorneys say many benefits plans still need more work to achieve greater protection.
“The mantra of cybersecurity professionals is that there are two types of people,” said Matthew E. Jackson, a New York-based senior vice president for Segal Select Insurance Services Inc., an insurance brokerage and subsidiary of The Segal Group Inc. “Those that know they have been hacked and those that don't know they have been hacked.”
Experts and attorneys say benefit-plan executives are taking steps to improve cybersecurity, such as demanding more detailed answers from providers in RFPs and conducting more stringent internal reviews of plan policies. However, they warn that the industry as a whole isn't treating such protection as a top priority.
“This is an issue that has gotten very little attention” among DC plans, said Jeffrey Capwell, a Charlotte, N.C.-based partner at McGuireWoods LLP, and head of the law firm's employee benefits and executive compensation practice.
“Wait until there's an Anthem-like security breach in the retirement context,” said Mr. Capwell, referring to the hacking of data at Anthem Inc., the Indianapolis-based health benefits company, that exposed information on as many as 80 million people. “Then, there will be a greater focus.”
A May 2015 report by the Ponemon Institute, Traverse City, Mich., said the “average total organizational cost” of data breaches reached $6.53 million, based on a review of 62 U.S. companies that experienced breaches primarily in 2014 but also in 2015.
The institute, whose data-breach work is sponsored by IBM, has conducted annual surveys for 10 years. The average cost was $5.85 million in last year's report. Ponemon's annual surveys examine incidents involving 100,000 or fewer compromised records.