But experts say ERISA might exempt some from notification laws
Updated with correction
A global rise in cybersecurity breaches from targets as broad as Yahoo Inc. and the Democratic National Committee have put DC industry executives on notice that the theft of personal information — and the potential for theft of assets — are threats as serious to them as they've been to other industries.
“We should take the threat seriously, and the major providers and consulting firms, along with plan sponsors, are taking the threat extremely seriously,” said Ben Taylor, vice president, defined contribution consultant, at Callan Associates Inc., Chicago. “It is true that these plans include the use of personal information, as well as large sums of money, and as a result, it is incumbent upon the industry to continue to do an excellent job protecting both.”
Breaches can happen. The Chicago Deferred Compensation Plan, a $3.6 billion 457(b) plan, in June had $2.6 million taken through unapproved loans from 58 participant accounts accessed with stolen participant identification. Plan officials and Nationwide Retirement Solutions, the plan's provider, restored the assets within five days, said Ryan Ankrom, Nationwide spokesman.
Gregg Sommer, Chicago-based principal and head of operational risk assessment at Mercer Sentinel, said the similarity of information that's kept by DC plans and their service providers as well as by what's held by banks and other financial services firms make plans an attractive target.
“Take a step back and look at these different sectors — banking, financial services,” Mr. Sommer said. “These are all sectors that have commonalities like electronic connections and fiduciary responsibilities. Those all create vulnerabilities and also an attraction to hackers.”
Mercer Sentinel is the investment operations consulting business of Mercer LLC.
Cybersecurity issues are “not really unique in defined contribution,” added Raj Chaudhary, principal, cybersecurity services leader, at Crowe Horwath LLP, Chicago, a public accounting, consulting and technology firm. “Hackers are getting smarter and are getting better at decrypting. ... We need to get smarter overall in protecting online sites like banking and DC portals. Ninety-five percent of those sites are protected, but the level of protection can vary.”
But there are specific issues to defined contribution plans when it comes to cybersecurity, mainly related to those plans' adherence to the Employee Retirement Income Security Act of 1974, which regulates the fiduciary requirements of retirement plans. The question of whether ERISA exempts plans from the 47 separate cybersecurity notification laws among states and the District of Columbia has not yet been dealt with, said Matthew H. Hawes, Pittsburgh-based partner, employee benefits and executive compensation group at law firm Morgan Lewis & Bockius LLP. He also is co-leader of the group's efforts on data privacy and cybersecurity.
Public DC plans like Chicago's are exempt from ERISA.
“We really think a lot about ERISA exemptions and their impact,” Mr. Hawes added. “The courts have not ruled on (cybersecurity responsibility) yet. Then there are 47 different laws from states and the District of Columbia described as data breach notification laws or local data privacy laws that address cybersecurity. It's a new area.
“Pre-emption could apply, but that doesn't mean plan sponsors or committees are off the hook,” Mr. Hawes said. “They could face separate issues related to cybersecurity as a plan fiduciary. How and the extent the state laws apply to retirement plans and retirement plan fiduciaries are open questions due to ERISA pre-emption that likely will be resolved by the courts. Even if there's no specific requirement for responsibility under a state law, that doesn't mean that fiduciaries don't need to do something.”
Most defined contribution plan executives and service providers contacted for this story did not return calls or e-mails for comment, with one DC plan official saying not for attribution that he didn't want to put the plan's name in the mind of any potential hackers. However, Emily Farrell, spokeswoman for Vanguard Group Inc., Malvern, Pa., said in an e-mailed response to questions on cybersecurity that the firm puts “an undeniable premium on security issues due to the nature of our business and commitment to protecting our clients' data.”
Vanguard, which has $380 billion in assets record kept for 5,602 plan sponsors and 4.08 million participants as of Dec. 31, according to Pensions & Investments' data, has faced criticism that it was easy for some to gain access to participant information, often accessing them despite typographical errors in the entered passwords. But Ms. Farrell said Vanguard continually updates and reviews its cybersecurity procedures to ensure the information is secure. “We are aware of the responsibility we bear when our clients place their trust in Vanguard, hence the significant resources that we dedicate to protecting our clients and their assets,” Ms. Farrell said.
DC breach threats
Vulnerability of passwords and the ability for hackers to guess entry information are among the main cyberthreats to DC plans.
“If I can build an identity profile of someone, I can guess how to reset a password,” said Mr. Chaudhary of Crowe Horwath. “The names of people's dogs or their kids are common passwords. Everyone has a habit of using the same one or two passwords for all their access. Guess what? That means all are susceptible to a stolen password.”
Mr. Chaudhary said some DC plan portals, whether web-based or accessed through apps, are adopting a layered identification approach including required dual IDs, with passwords provided by both the service provider and the plan participant, and fingerprint identification, which, he said, “is definitely better than using passwords. But will that become more broadly used? That's a challenge. ... Still, the layered approach is one of the best solutions, but most sites don't use it.”
There's also a very low-tech issue that could provide big rewards for hackers — many older participants demand paper DC account statements, which contain participant names, addresses and account numbers.
“The older generation wants hard copy,” Mr. Chaudhary said. “DC statements are another major source of information, like account numbers and names. ... When we do audits of banks and financial service firms, we go so far with some of our clients to actually do dumpster-diving at their sites to see if we can find printouts of account numbers and other confidential information, because that's often what hackers are doing.”
Mercer's Mr. Sommer said more elaborate ways of obtaining password information could be less successful than simply looking over the shoulder of a participant accessing their account on a laptop computer or smartphone in a public place. “Hackers can be very complex, but sometimes they can access information through very primitive needs,” Mr. Sommer said. “So much of these things are accessible, it's not all that difficult to get. So participants need to know password protection techniques. And once that oversight (of participant education) is established, then the training can begin. It's the basics — you need a good password, not a pet's name or a nickname. That's important. Participants need to be as educated as anyone else, not only in creating strong passwords but in changing passwords frequently and to recognize phishing and spoofing e-mails.”
Mr. Chaudhary said participant education is lacking and that the industry as a result is more reactive on cybersecurity than proactive.
“I'm not seeing a whole lot of educating users,” he said. “Once hacked, they're forced to change IDs and passwords, make them more complex and less accessible. They usually create a password policy to force them to make security changes. But that's more often after a hack has happened.”
While ID information might be available to hackers, Callan's Mr. Taylor said, accessing DC plan assets won't be as easy. “It's not as simple as with credit cards or banks where they can immediately liquidate an account,” Mr. Taylor said.
In some cases, hackers are caught during the check issuance process after a request is made online to withdraw assets from an account. Also with DC plans, there are clearing periods during which a hold is placed on the funds, and additional protections that make these plans safer, he said.
“Remember, these are tax-deferred accounts,'' Mr. Taylor said. “If you try to transfer the funds, there's paperwork to be filled out and a liquidation process. There's no immediate access for a hacker into a DC fund.”
How to protect
Mr. Taylor and others stressed that DC plans and their service providers shouldn't rest on the procedural complexity of withdrawals as a stopgap to evolving, proactive cybersecurity protection. Mr. Sommer said he recommends four steps for cybersecurity protection:
- cross-department oversight;
- internal and external reviews;
- training and education; and
- technology review
Mr. Sommer said cybersecurity problems aren't solved solely by the information technology department of a service provider or a plan sponsor. “The first reaction in the DC world with cybersecurity is to stick it to the IT group,” Mr. Sommer said. “That's incorrect. Compliance, leadership, cooperation — plans need to work all these together. But that's often overlooked, and it's just shipped to IT to take care of. That's a big mistake. Then you need to look both internally and externally. Lots of DC plans outsource their IT, record keeping, communications. You also need to see if all those providers have cybersecurity in place. You need to see the big picture — see the risks and who's accountable.”
A response to a breach must also be handled across groups at the plan, the service provider and other third-party vendors, including whoever has fiduciary responsibility and whoever is responsible for plan communications, Mr. Sommer said. “Everyone has to be a part of this. All the connecting pieces have to work together — that could mean 25 to 50 different parties.”
Along with education and training of plan sponsors, service providers and participants, Mr. Sommer said reviews of technology used by plans and their providers are crucial. “There have been so many changes in cybersecurity, this aspect could be the most critical,” he said. “In the past, it was expected that a strict and strong firewall around a network was the best protection against unauthorized access. But people came to realize that there will be illegal access other ways than a direct attack. You need detection and a breach response plan. You also need to verify IP addresses to see who's accessing the site. Not everyone does that.”
Service provider response
While sources said there have been information breaches at DC plans, they have not been publicized, unlike breaches at banks and retailers when the news media were notified to make sure customers are notified quickly.
“Thus far, in our experience on cyberbreaches, disclosure by DC plan service providers has left something to be desired,” said Callan's Mr. Taylor, who serves on the Data Security Oversight Board at the SPARK Institute, a unit of the Society of Professional Asset Managers and Record Keepers, Washington.
Morgan Lewis' Mr. Hawes said the issue of ERISA exemption is one reason that disclosure is an issue. “State breach laws for non-retirement plans will be announced sometimes to get the news out to people that could be affected. ERISA pre-emption (from state breach notification laws) may be one explanation for why we have not seen defined contribution plan breaches in the news. This is not so much an issue of the size of the affected population as it is an issue of regulatory/legal obligations following a breach.”
A major concern of service providers and DC plan executives is keeping their cybersecurity policies and procedures close to the vest so cybercriminals can't learn how to access their records and assets. But that's becoming more difficult as DC plan requests for proposals for record keepers and other vendors ask for prospective vendors' cybersecurity details.
“It wouldn't be unusual for our members to get three or four questions a week in RFPs. And it wasn't just the volume of questions but the in-depth nature of those questions,” said Timothy Rouse, executive director of the SPARK Institute. “Our members just weren't comfortable giving out these answers. They were afraid some of the details of their cybersecurity procedures would end up on the Internet and give hackers a road map to their systems. They understand the reason for the questions, but they want to respond without sending out the keys to the kingdom.”
As a result, the SPARK Data Security Oversight Board was created in September 2015, tasked with creating a certification that, along with the International Organization of Standardization, or ISO, and other certification boards, will let consultants and their plan sponsor clients know that record keepers and fund managers have an approved cybersecurity program without releasing details publicly that could leave them open to cybercrime. The committee has surveyed the consulting community over the past year, and its members plan to have a framework for certification by the end of this year or in early 2017.
Mr. Rouse said the board has also worked with the U.S. Labor Department's ERISA Advisory Council, which in August said it would make recommendations to the Labor secretary on benefit plans' cyber risk strategies. According to the council's website, it has been looking at cybersecurity in benefit plans since 2011 and plans on making the recommendations this year. n
This article originally appeared in the October 17, 2016 print issue as, "Plans face threats to crucial data".