Skip to main content
MENU
Subscribe
  • Sign Up Free
  • LOGIN
  • Subscribe
  • Topics
    • Alternatives
    • Consultants
    • Coronavirus
    • Courts
    • Defined Contribution
    • ESG
    • ETFs
    • Face to Face
    • Hedge Funds
    • Industry Voices
    • Investing
    • Money Management
    • Opinion
    • Partner Content
    • Pension Funds
    • Private Equity
    • Real Estate
    • Russia-Ukraine War
    • SECURE 2.0
    • Special Reports
    • White Papers
  • Rankings & Awards
    • 1,000 Largest Retirement Plans
    • Top-Performing Managers
    • Largest Money Managers
    • DC Money Managers
    • DC Record Keepers
    • Largest Hedge Fund Managers
    • World's Largest Retirement Funds
    • Best Places to Work in Money Management
    • Excellence & Innovation Awards
    • WPS Innovation Awards
    • Eddy Awards
  • ETFs
    • Latest ETF News
    • Fund Screener
    • Education Center
    • Equities
    • Fixed Income
    • Commodities
    • Actively Managed
    • Alternatives
    • ESG Rated
  • ESG
    • Latest ESG News
    • The Institutional Investor’s Guide to ESG Investing
    • ESG Sustainability - Gaining Momentum
    • Climate Change: The Inescapable Opportunity
    • Impact Investing
    • 2022 ESG Investing Conference
    • ESG Rated ETFs
  • Defined Contribution
    • Latest DC News
    • DC Money Manager Rankings
    • DC Record Keeper Rankings
    • Innovations in DC
    • Trends in DC: Focus on Retirement Income
    • 2022 Defined Contribution East Conference
    • 2022 DC Investment Lineup Conference
  • Searches & Hires
    • Latest Searches & Hires News
    • Searches & Hires Database
    • RFPs
  • Performance Data
    • P&I Research Center
    • Earnings Tracker
    • Endowment Returns Tracker
    • Corporate Pension Contribution Tracker
    • Pension Fund Returns Tracker
    • Pension Risk Transfer Database
    • Future of Investments Research Series
    • Charts & Infographics
    • Polls
  • Careers
  • Events
    • View All Conferences
    • View All Webinars
    • 2023 Defined Contribution East
    • 2023 ESG Investing
Breadcrumb
  1. Home
  2. DEFINED CONTRIBUTION
August 24, 2015 01:00 AM

Gaps remain in perception of cyber threats

Execs confident providers' practices are sound; professionals say otherwise

Robert Steyer
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    International Foundation of Employee Benefit Plans' Julie Stich: 'Sponsors might not be as aware as they should be. (They) should be more concerned.”

    Efforts by defined contribution and other employee benefit plans to improve cybersecurity appear to reflect a paraphrase from former Defense Secretary Donald Rumsfeld: They don't know what they don't know.

    Although a recent survey showed a majority of DC plan executives expressed confidence in their service providers' cybersecurity policies and practices, cybersecurity specialists and ERISA attorneys say many benefits plans still need more work to achieve greater protection.

    “The mantra of cybersecurity professionals is that there are two types of people,” said Matthew E. Jackson, a New York-based senior vice president for Segal Select Insurance Services Inc., an insurance brokerage and subsidiary of The Segal Group Inc. “Those that know they have been hacked and those that don't know they have been hacked.”

    Experts and attorneys say benefit-plan executives are taking steps to improve cybersecurity, such as demanding more detailed answers from providers in RFPs and conducting more stringent internal reviews of plan policies. However, they warn that the industry as a whole isn't treating such protection as a top priority.

    “This is an issue that has gotten very little attention” among DC plans, said Jeffrey Capwell, a Charlotte, N.C.-based partner at McGuireWoods LLP, and head of the law firm's employee benefits and executive compensation practice.

    “Wait until there's an Anthem-like security breach in the retirement context,” said Mr. Capwell, referring to the hacking of data at Anthem Inc., the Indianapolis-based health benefits company, that exposed information on as many as 80 million people. “Then, there will be a greater focus.”

    A May 2015 report by the Ponemon Institute, Traverse City, Mich., said the “average total organizational cost” of data breaches reached $6.53 million, based on a review of 62 U.S. companies that experienced breaches primarily in 2014 but also in 2015.

    The institute, whose data-breach work is sponsored by IBM, has conducted annual surveys for 10 years. The average cost was $5.85 million in last year's report. Ponemon's annual surveys examine incidents involving 100,000 or fewer compromised records.

    Not much research

    Research on DC plan executives' attitudes and actions regarding cybersecurity is meager. In a recent broad survey of 398 DC plan practices, Deloitte Consulting LLP asked several questions about cybersecurity, finding that:

    nFifty-nine percent of DC plan executives said they were very confident in their providers' cybersecurity practices while another 30% said they were somewhat confident.

    nNinety-three percent said their data hadn't been compromised. Four percent said their data had been compromised within the last year (for plans with more than 10,000 employees, the rate was 9%.) Among the broader group, 2% said their data had been compromised one to five years ago; and 1% said their data had been compromised more than five years ago.

    nSeventeen percent have never reviewed providers' cybersecurity policy and procedures, while 3% reviewed them more than five years ago. Fifty-five percent conducted a review within the past year, while 25% reviewed it one to five years ago.

    Some cybersecurity experts said they were skeptical of some Deloitte findings.

    “It's been my experience that plans don't follow through on monitoring” of providers' cybersecurity practices, said Mr. Capwell, adding there's more to ensuring protection than issuing an RFP. “Sponsors need to follow through contractually with reporting obligations,” he said. “You need more rigor in your contract with your provider.”

    Mr. Jackson added he has seen an increase in requests by DC plans and other benefits plans for more cybersecurity information in RFPs, plus stronger wording in existing contracts and a greater interest in insurance.

    “Two or three years ago, when we talked to sponsors, there was not a lot of interest” in cybersecurity insurance, he said. However, in the past six months, there has been an increase in the number of benefits plans asking about and buying such insurance.

    Mr. Jackson couldn't quantify the amounts, adding the overall percentage is still small.

    Greater concern

    Another survey of a broader group of 179 benefits plan executives found cyberattacks and internal security data security breaches were bigger concerns than workplace violence, terror attacks or disease, said Julie Stich, research director of the International Foundation of Employee Benefit Plans, Brookfield, Wis., whose organization published the survey in March.

    Despite plan executives' concerns, “I do think sponsors might not be as aware (of cybersecurity problems) as they should be,” said Ms. Stich. “I think sponsors should be more concerned.”

    Among the sources of trouble: employees who take a laptop home and then lose it; computer system failures; inadequate password protection; and failure to destroy obsolete information.

    “The danger is one of complacency,” said Mark Nicholson, principal for Deloitte Cyber Risk Services, noting that the investment management sector — benefits plans, mutual fund companies, hedge funds and private equity firms — is “relatively immature when it comes to cybersecurity.”

    They haven't devoted a large amount of money to cybersecurity, in part because “it hasn't been a proven risk issue for them,” he added. “There is a prevailing perspective that investment managers aren't a target” of hackers.

    Mr. Nicholson's offers this advice to clients: Be secure in your technology; be vigilant in monitoring internal and provider cybersecurity policies and practices; and be resilient by having a response plan in place and conducting cybersecurity breach simulations.

    Patchwork of laws

    Another cybersecurity challenge is the uncertainty caused by a patchwork of laws and regulations — both state and federal — governing liability and responsibility.

    Part of the problem is the Labor Department “has been relatively quiet on this,” said Stephen P. Wilkes, of counsel to The Wagner Law Group in San Francisco. “There is a lack of specific guidance under ERISA.”

    Mr. Wilkes said the department needs to answer many cybersecurity questions. For example: Is plan data considered a plan asset for ERISA purposes? Is cybersecurity a fiduciary act?

    Mr. Wilkes said the DOL should conduct a “gap analysis” to study where laws and regulations are inconsistent, contradictory and/or silent on cybersecurity and retirement plans. At the very least, he added, the DOL should issue guidance and clarification for sponsors and providers outlining industry best practices.

    Absent DOL guidance, many sponsors have been adopting best practices regarding retention of data, requiring more detailed information from providers and educating employees. “Best practices demand that sponsors treat cybersecurity as a fiduciary matter even if the laws are unclear,” Mr. Wilkes said.

    Related Articles
    Important questions to ask current providers, in RFPs
    State Street reports contractor took data from alternatives administration unit
    More firms buy insurance for cyberattacks
    Morgan Stanley to pay $1 million to settle SEC cybersecurity breach charges
    G-7 countries establish elements to target cybersecurity in global finance indu…
    Plans face threats to crucial data
    Recommended for You
    A handful of $100 bills
    Seneca County moving participants in 457 plan to state deferred comp plan
    parliament 1550_i.jpg
    U.K. considers CDC model for multiemployer plans
    British-Union-Jack-Parliament_i.jpg
    New U.K. regulations allow DC plans to increase illiquid investments
    The Institutional Investor's Guide to ESG Investing
    Sponsored Content: The Institutional Investor's Guide to ESG Investing

    Reader Poll

    January 25, 2023
    SEE MORE POLLS >
    Sponsored
    White Papers
    Show Me the Income: Discovering plan sponsor and participant preferences for cr…
    The Future of Infrastructure: Building a Better Tomorrow
    Outlook 2023: Opportunity in a volatile world
    Research for Institutional Money Management
    View More
    Sponsored Content
    Partner Content
    The Industrialization of ESG Investment
    For institutional investors, ETFs can make meeting liquidity needs easier
    Gold: the most effective commodity investment
    2021 Investment Outlook | Investing Beyond the Pandemic: A Reset for Portfolios
    Ten ways retirement plan professionals add value to plan sponsors
    Gold: an efficient hedge
    View More
    E-MAIL NEWSLETTERS

    Sign up and get the best of News delivered straight to your email inbox, free of charge. Choose your news – we will deliver.

    Subscribe Today
    December 12, 2022 page one

    Get access to the news, research and analysis of events affecting the retirement and institutional money management businesses from a worldwide network of reporters and editors.

    Subscribe
    Connect With Us
    • RSS
    • Twitter
    • Facebook
    • LinkedIn

    Our Mission

    To consistently deliver news, research and analysis to the executives who manage the flow of funds in the institutional investment market.

    About Us

    Main Office
    685 Third Avenue
    Tenth Floor
    New York, NY 10017-4036

    Chicago Office
    130 E. Randolph St.
    Suite 3200
    Chicago, IL 60601

    Contact Us

    Careers at Crain

    About Pensions & Investments

     

    Advertising
    • Media Kit
    • P&I Content Solutions
    • P&I Careers | Post a Job
    • Reprints & Permissions
    Resources
    • Subscribe
    • Newsletters
    • FAQ
    • P&I Research Center
    • Site map
    • Staff Directory
    Legal
    • Privacy Policy
    • Terms and Conditions
    • Privacy Request
    Pensions & Investments
    Copyright © 1996-2023. Crain Communications, Inc. All Rights Reserved.
    • Topics
      • Alternatives
      • Consultants
      • Coronavirus
      • Courts
      • Defined Contribution
      • ESG
      • ETFs
      • Face to Face
      • Hedge Funds
      • Industry Voices
      • Investing
      • Money Management
      • Opinion
      • Partner Content
      • Pension Funds
      • Private Equity
      • Real Estate
      • Russia-Ukraine War
      • SECURE 2.0
      • Special Reports
      • White Papers
    • Rankings & Awards
      • 1,000 Largest Retirement Plans
      • Top-Performing Managers
      • Largest Money Managers
      • DC Money Managers
      • DC Record Keepers
      • Largest Hedge Fund Managers
      • World's Largest Retirement Funds
      • Best Places to Work in Money Management
      • Excellence & Innovation Awards
      • WPS Innovation Awards
      • Eddy Awards
    • ETFs
      • Latest ETF News
      • Fund Screener
      • Education Center
      • Equities
      • Fixed Income
      • Commodities
      • Actively Managed
      • Alternatives
      • ESG Rated
    • ESG
      • Latest ESG News
      • The Institutional Investor’s Guide to ESG Investing
      • ESG Sustainability - Gaining Momentum
      • Climate Change: The Inescapable Opportunity
      • Impact Investing
      • 2022 ESG Investing Conference
      • ESG Rated ETFs
    • Defined Contribution
      • Latest DC News
      • DC Money Manager Rankings
      • DC Record Keeper Rankings
      • Innovations in DC
      • Trends in DC: Focus on Retirement Income
      • 2022 Defined Contribution East Conference
      • 2022 DC Investment Lineup Conference
    • Searches & Hires
      • Latest Searches & Hires News
      • Searches & Hires Database
      • RFPs
    • Performance Data
      • P&I Research Center
      • Earnings Tracker
      • Endowment Returns Tracker
      • Corporate Pension Contribution Tracker
      • Pension Fund Returns Tracker
      • Pension Risk Transfer Database
      • Future of Investments Research Series
      • Charts & Infographics
      • Polls
    • Careers
    • Events
      • View All Conferences
      • View All Webinars
      • 2023 Defined Contribution East
      • 2023 ESG Investing