Updated with correction
A global rise in cybersecurity breaches from targets as broad as Yahoo Inc. and the Democratic National Committee have put DC industry executives on notice that the theft of personal information — and the potential for theft of assets — are threats as serious to them as they've been to other industries.
“We should take the threat seriously, and the major providers and consulting firms, along with plan sponsors, are taking the threat extremely seriously,” said Ben Taylor, vice president, defined contribution consultant, at Callan Associates Inc., Chicago. “It is true that these plans include the use of personal information, as well as large sums of money, and as a result, it is incumbent upon the industry to continue to do an excellent job protecting both.”
Breaches can happen. The Chicago Deferred Compensation Plan, a $3.6 billion 457(b) plan, in June had $2.6 million taken through unapproved loans from 58 participant accounts accessed with stolen participant identification. Plan officials and Nationwide Retirement Solutions, the plan's provider, restored the assets within five days, said Ryan Ankrom, Nationwide spokesman.
Gregg Sommer, Chicago-based principal and head of operational risk assessment at Mercer Sentinel, said the similarity of information that's kept by DC plans and their service providers as well as by what's held by banks and other financial services firms make plans an attractive target.
“Take a step back and look at these different sectors — banking, financial services,” Mr. Sommer said. “These are all sectors that have commonalities like electronic connections and fiduciary responsibilities. Those all create vulnerabilities and also an attraction to hackers.”
Mercer Sentinel is the investment operations consulting business of Mercer LLC.
Cybersecurity issues are “not really unique in defined contribution,” added Raj Chaudhary, principal, cybersecurity services leader, at Crowe Horwath LLP, Chicago, a public accounting, consulting and technology firm. “Hackers are getting smarter and are getting better at decrypting. ... We need to get smarter overall in protecting online sites like banking and DC portals. Ninety-five percent of those sites are protected, but the level of protection can vary.”
But there are specific issues to defined contribution plans when it comes to cybersecurity, mainly related to those plans' adherence to the Employee Retirement Income Security Act of 1974, which regulates the fiduciary requirements of retirement plans. The question of whether ERISA exempts plans from the 47 separate cybersecurity notification laws among states and the District of Columbia has not yet been dealt with, said Matthew H. Hawes, Pittsburgh-based partner, employee benefits and executive compensation group at law firm Morgan Lewis & Bockius LLP. He also is co-leader of the group's efforts on data privacy and cybersecurity.
Public DC plans like Chicago's are exempt from ERISA.
“We really think a lot about ERISA exemptions and their impact,” Mr. Hawes added. “The courts have not ruled on (cybersecurity responsibility) yet. Then there are 47 different laws from states and the District of Columbia described as data breach notification laws or local data privacy laws that address cybersecurity. It's a new area.
“Pre-emption could apply, but that doesn't mean plan sponsors or committees are off the hook,” Mr. Hawes said. “They could face separate issues related to cybersecurity as a plan fiduciary. How and the extent the state laws apply to retirement plans and retirement plan fiduciaries are open questions due to ERISA pre-emption that likely will be resolved by the courts. Even if there's no specific requirement for responsibility under a state law, that doesn't mean that fiduciaries don't need to do something.”
Most defined contribution plan executives and service providers contacted for this story did not return calls or e-mails for comment, with one DC plan official saying not for attribution that he didn't want to put the plan's name in the mind of any potential hackers. However, Emily Farrell, spokeswoman for Vanguard Group Inc., Malvern, Pa., said in an e-mailed response to questions on cybersecurity that the firm puts “an undeniable premium on security issues due to the nature of our business and commitment to protecting our clients' data.”
Vanguard, which has $380 billion in assets record kept for 5,602 plan sponsors and 4.08 million participants as of Dec. 31, according to Pensions & Investments' data, has faced criticism that it was easy for some to gain access to participant information, often accessing them despite typographical errors in the entered passwords. But Ms. Farrell said Vanguard continually updates and reviews its cybersecurity procedures to ensure the information is secure. “We are aware of the responsibility we bear when our clients place their trust in Vanguard, hence the significant resources that we dedicate to protecting our clients and their assets,” Ms. Farrell said.