Skip to main content
MENU
Subscribe
  • Subscribe
  • Account
  • LOGIN
  • Topics
    • Alternatives
    • Consultants
    • Coronavirus
    • Courts
    • Defined Contribution
    • ESG
    • ETFs
    • Hedge Funds
    • Industry Voices
    • Investing
    • Money Management
    • Opinion
    • Partner Content
    • Pension Funds
    • Private Equity
    • Real Estate
    • Russia-Ukraine War
    • SECURE Act 2.0
    • Special Reports
    • White Papers
  • Rankings & Awards
    • 1,000 Largest Retirement Plans
    • Top-Performing Managers
    • Largest Money Managers
    • DC Money Managers
    • DC Record Keepers
    • Largest Hedge Fund Managers
    • World's Largest Retirement Funds
    • Best Places to Work in Money Management
    • Excellence & Innovation Awards
    • Eddy Awards
  • ETFs
    • Latest ETF News
    • Fund Screener
    • Education Center
    • Equities
    • Fixed Income
    • Commodities
    • Actively Managed
    • Alternatives
    • ESG Rated
  • ESG
    • Latest ESG News
    • The Institutional Investor’s Guide to ESG Investing
    • Climate Change: The Inescapable Opportunity
    • Impact Investing
    • 2022 ESG Investing Conference
    • ESG Rated ETFs
  • Defined Contribution
    • Latest DC News
    • DC Money Manager Rankings
    • DC Record Keeper Rankings
    • Innovations in DC
    • Trends in DC: Focus on Retirement Income
    • 2022 Defined Contribution East Conference
    • 2022 DC Investment Lineup Conference
  • Searches & Hires
    • Latest Searches & Hires News
    • Searches & Hires Database
    • RFPs
  • Performance Data
    • P&I Research Center
    • Earnings Tracker
    • Endowment Returns Tracker
    • Corporate Pension Contribution Tracker
    • Pension Fund Returns Tracker
    • Pension Risk Transfer Database
    • Future of Investments Research Series
    • Charts & Infographics
    • Polls
  • Careers
  • Events
    • View All Conferences
    • View All Webinars
    • 2022 Innovation Investing Conference
    • 2022 Defined Contribution East Conference
    • 2022 ESG Investing Conference
    • 2022 DC Investment Lineup Conference
    • 2022 Alternatives Investing Conference
Breadcrumb
  1. Home
  2. DEFINED CONTRIBUTION
October 17, 2016 01:00 AM

DC plans face threats to crucial data

But experts say ERISA might exempt some from notification laws

Rick Baert
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Dave Murray/i2i Art

    Updated with correction

    A global rise in cybersecurity breaches from targets as broad as Yahoo Inc. and the Democratic National Committee have put DC industry executives on notice that the theft of personal information — and the potential for theft of assets — are threats as serious to them as they've been to other industries.

    “We should take the threat seriously, and the major providers and consulting firms, along with plan sponsors, are taking the threat extremely seriously,” said Ben Taylor, vice president, defined contribution consultant, at Callan Associates Inc., Chicago. “It is true that these plans include the use of personal information, as well as large sums of money, and as a result, it is incumbent upon the industry to continue to do an excellent job protecting both.”

    Breaches can happen. The Chicago Deferred Compensation Plan, a $3.6 billion 457(b) plan, in June had $2.6 million taken through unapproved loans from 58 participant accounts accessed with stolen participant identification. Plan officials and Nationwide Retirement Solutions, the plan's provider, restored the assets within five days, said Ryan Ankrom, Nationwide spokesman.

    Gregg Sommer, Chicago-based principal and head of operational risk assessment at Mercer Sentinel, said the similarity of information that's kept by DC plans and their service providers as well as by what's held by banks and other financial services firms make plans an attractive target.

    “Take a step back and look at these different sectors — banking, financial services,” Mr. Sommer said. “These are all sectors that have commonalities like electronic connections and fiduciary responsibilities. Those all create vulnerabilities and also an attraction to hackers.”

    Mercer Sentinel is the investment operations consulting business of Mercer LLC.

    Cybersecurity issues are “not really unique in defined contribution,” added Raj Chaudhary, principal, cybersecurity services leader, at Crowe Horwath LLP, Chicago, a public accounting, consulting and technology firm. “Hackers are getting smarter and are getting better at decrypting. ... We need to get smarter overall in protecting online sites like banking and DC portals. Ninety-five percent of those sites are protected, but the level of protection can vary.”

    But there are specific issues to defined contribution plans when it comes to cybersecurity, mainly related to those plans' adherence to the Employee Retirement Income Security Act of 1974, which regulates the fiduciary requirements of retirement plans. The question of whether ERISA exempts plans from the 47 separate cybersecurity notification laws among states and the District of Columbia has not yet been dealt with, said Matthew H. Hawes, Pittsburgh-based partner, employee benefits and executive compensation group at law firm Morgan Lewis & Bockius LLP. He also is co-leader of the group's efforts on data privacy and cybersecurity.

    Public DC plans like Chicago's are exempt from ERISA.

    “We really think a lot about ERISA exemptions and their impact,” Mr. Hawes added. “The courts have not ruled on (cybersecurity responsibility) yet. Then there are 47 different laws from states and the District of Columbia described as data breach notification laws or local data privacy laws that address cybersecurity. It's a new area.

    “Pre-emption could apply, but that doesn't mean plan sponsors or committees are off the hook,” Mr. Hawes said. “They could face separate issues related to cybersecurity as a plan fiduciary. How and the extent the state laws apply to retirement plans and retirement plan fiduciaries are open questions due to ERISA pre-emption that likely will be resolved by the courts. Even if there's no specific requirement for responsibility under a state law, that doesn't mean that fiduciaries don't need to do something.”

    Most defined contribution plan executives and service providers contacted for this story did not return calls or e-mails for comment, with one DC plan official saying not for attribution that he didn't want to put the plan's name in the mind of any potential hackers. However, Emily Farrell, spokeswoman for Vanguard Group Inc., Malvern, Pa., said in an e-mailed response to questions on cybersecurity that the firm puts “an undeniable premium on security issues due to the nature of our business and commitment to protecting our clients' data.”

    Vanguard, which has $380 billion in assets record kept for 5,602 plan sponsors and 4.08 million participants as of Dec. 31, according to Pensions & Investments' data, has faced criticism that it was easy for some to gain access to participant information, often accessing them despite typographical errors in the entered passwords. But Ms. Farrell said Vanguard continually updates and reviews its cybersecurity procedures to ensure the information is secure. “We are aware of the responsibility we bear when our clients place their trust in Vanguard, hence the significant resources that we dedicate to protecting our clients and their assets,” Ms. Farrell said.

    DC breach threats

    Vulnerability of passwords and the ability for hackers to guess entry information are among the main cyberthreats to DC plans.

    “If I can build an identity profile of someone, I can guess how to reset a password,” said Mr. Chaudhary of Crowe Horwath. “The names of people's dogs or their kids are common passwords. Everyone has a habit of using the same one or two passwords for all their access. Guess what? That means all are susceptible to a stolen password.”

    Mr. Chaudhary said some DC plan portals, whether web-based or accessed through apps, are adopting a layered identification approach including required dual IDs, with passwords provided by both the service provider and the plan participant, and fingerprint identification, which, he said, “is definitely better than using passwords. But will that become more broadly used? That's a challenge. ... Still, the layered approach is one of the best solutions, but most sites don't use it.”

    There's also a very low-tech issue that could provide big rewards for hackers — many older participants demand paper DC account statements, which contain participant names, addresses and account numbers.

    “The older generation wants hard copy,” Mr. Chaudhary said. “DC statements are another major source of information, like account numbers and names. ... When we do audits of banks and financial service firms, we go so far with some of our clients to actually do dumpster-diving at their sites to see if we can find printouts of account numbers and other confidential information, because that's often what hackers are doing.”

    Mercer's Mr. Sommer said more elaborate ways of obtaining password information could be less successful than simply looking over the shoulder of a participant accessing their account on a laptop computer or smartphone in a public place. “Hackers can be very complex, but sometimes they can access information through very primitive needs,” Mr. Sommer said. “So much of these things are accessible, it's not all that difficult to get. So participants need to know password protection techniques. And once that oversight (of participant education) is established, then the training can begin. It's the basics — you need a good password, not a pet's name or a nickname. That's important. Participants need to be as educated as anyone else, not only in creating strong passwords but in changing passwords frequently and to recognize phishing and spoofing e-mails.”

    Mr. Chaudhary said participant education is lacking and that the industry as a result is more reactive on cybersecurity than proactive.

    “I'm not seeing a whole lot of educating users,” he said. “Once hacked, they're forced to change IDs and passwords, make them more complex and less accessible. They usually create a password policy to force them to make security changes. But that's more often after a hack has happened.”

    While ID information might be available to hackers, Callan's Mr. Taylor said, accessing DC plan assets won't be as easy. “It's not as simple as with credit cards or banks where they can immediately liquidate an account,” Mr. Taylor said.

    In some cases, hackers are caught during the check issuance process after a request is made online to withdraw assets from an account. Also with DC plans, there are clearing periods during which a hold is placed on the funds, and additional protections that make these plans safer, he said.

    “Remember, these are tax-deferred accounts,'' Mr. Taylor said. “If you try to transfer the funds, there's paperwork to be filled out and a liquidation process. There's no immediate access for a hacker into a DC fund.”

    How to protect

    Mr. Taylor and others stressed that DC plans and their service providers shouldn't rest on the procedural complexity of withdrawals as a stopgap to evolving, proactive cybersecurity protection. Mr. Sommer said he recommends four steps for cybersecurity protection:


    • cross-department oversight;

    • internal and external reviews;

    • training and education; and

    • technology review

    Mr. Sommer said cybersecurity problems aren't solved solely by the information technology department of a service provider or a plan sponsor. “The first reaction in the DC world with cybersecurity is to stick it to the IT group,” Mr. Sommer said. “That's incorrect. Compliance, leadership, cooperation — plans need to work all these together. But that's often overlooked, and it's just shipped to IT to take care of. That's a big mistake. Then you need to look both internally and externally. Lots of DC plans outsource their IT, record keeping, communications. You also need to see if all those providers have cybersecurity in place. You need to see the big picture — see the risks and who's accountable.”

    A response to a breach must also be handled across groups at the plan, the service provider and other third-party vendors, including whoever has fiduciary responsibility and whoever is responsible for plan communications, Mr. Sommer said. “Everyone has to be a part of this. All the connecting pieces have to work together — that could mean 25 to 50 different parties.”

    Along with education and training of plan sponsors, service providers and participants, Mr. Sommer said reviews of technology used by plans and their providers are crucial. “There have been so many changes in cybersecurity, this aspect could be the most critical,” he said. “In the past, it was expected that a strict and strong firewall around a network was the best protection against unauthorized access. But people came to realize that there will be illegal access other ways than a direct attack. You need detection and a breach response plan. You also need to verify IP addresses to see who's accessing the site. Not everyone does that.”

    Service provider response

    While sources said there have been information breaches at DC plans, they have not been publicized, unlike breaches at banks and retailers when the news media were notified to make sure customers are notified quickly.

    “Thus far, in our experience on cyberbreaches, disclosure by DC plan service providers has left something to be desired,” said Callan's Mr. Taylor, who serves on the Data Security Oversight Board at the SPARK Institute, a unit of the Society of Professional Asset Managers and Record Keepers, Washington.

    Morgan Lewis' Mr. Hawes said the issue of ERISA exemption is one reason that disclosure is an issue. “State breach laws for non-retirement plans will be announced sometimes to get the news out to people that could be affected. ERISA pre-emption (from state breach notification laws) may be one explanation for why we have not seen defined contribution plan breaches in the news. This is not so much an issue of the size of the affected population as it is an issue of regulatory/legal obligations following a breach.”

    A major concern of service providers and DC plan executives is keeping their cybersecurity policies and procedures close to the vest so cybercriminals can't learn how to access their records and assets. But that's becoming more difficult as DC plan requests for proposals for record keepers and other vendors ask for prospective vendors' cybersecurity details.

    “It wouldn't be unusual for our members to get three or four questions a week in RFPs. And it wasn't just the volume of questions but the in-depth nature of those questions,” said Timothy Rouse, executive director of the SPARK Institute. “Our members just weren't comfortable giving out these answers. They were afraid some of the details of their cybersecurity procedures would end up on the Internet and give hackers a road map to their systems. They understand the reason for the questions, but they want to respond without sending out the keys to the kingdom.”

    As a result, the SPARK Data Security Oversight Board was created in September 2015, tasked with creating a certification that, along with the International Organization of Standardization, or ISO, and other certification boards, will let consultants and their plan sponsor clients know that record keepers and fund managers have an approved cybersecurity program without releasing details publicly that could leave them open to cybercrime. The committee has surveyed the consulting community over the past year, and its members plan to have a framework for certification by the end of this year or in early 2017.

    Mr. Rouse said the board has also worked with the U.S. Labor Department's ERISA Advisory Council, which in August said it would make recommendations to the Labor secretary on benefit plans' cyber risk strategies. According to the council's website, it has been looking at cybersecurity in benefit plans since 2011 and plans on making the recommendations this year. n

    Related Articles
    Asset owners demand info on cybersecurity processes
    Firms see costs escalating for cyberthreat protections
    Gaps remain in perception of cyber threats
    Plans ask about cybersecurity insurance — but not for them
    Plans ask about cybersecurity insurance — but not for them
    8 fiduciary traps and how to avoid them: 2017 tips for DC plan executives
    Get real on cybersecurity
    Financial firms among those targeted in SEC 10-K 'phishing' attack
    Latest hacking news heightens cybersecurity concerns
    SWIFT rolls out new fraud, cybercrime prevention service
    ERISA Advisory Council nomination deadline nears
    Hackers thwarted attempting to access New Hampshire retiree accounts
    Recommended for You
    Retirement Plans_i.jpg
    Top priority for smaller DC plans: improving financial wellness programs
    Rene Martel
    Managed accounts are coming up short, some say
    Progressive_1550_i.jpg
    Progressive removes Fidelity midcap option from 401(k) plan
    Alternatives: Investing Across the Spectrum
    Sponsored Content: Alternatives: Investing Across the Spectrum

    Reader Poll

    May 23, 2022
    SEE MORE POLLS >
    Sponsored
    White Papers
    Crossroads: Politics, Inflation, & Bonds
    Credit Indices: Closing the Fixed Income Evolutionary Gap
    Forever in Style: Benchmarking with the Morningstar® Broad Style Indexes℠
    Q2 2022 Credit Outlook: Carry On
    Leverage does not equal risk
    Is there a mid-cap gap in your DC plan?
    View More
    Sponsored Content
    Partner Content
    The Industrialization of ESG Investment
    For institutional investors, ETFs can make meeting liquidity needs easier
    Gold: the most effective commodity investment
    2021 Investment Outlook | Investing Beyond the Pandemic: A Reset for Portfolios
    Ten ways retirement plan professionals add value to plan sponsors
    Gold: an efficient hedge
    View More
    E-MAIL NEWSLETTERS

    Sign up and get the best of News delivered straight to your email inbox, free of charge. Choose your news – we will deliver.

    Subscribe Today
    May 9, 2022 page one

    Get access to the news, research and analysis of events affecting the retirement and institutional money management businesses from a worldwide network of reporters and editors.

    Subscribe
    Connect With Us
    • RSS
    • Twitter
    • Facebook
    • LinkedIn

    Our Mission

    To consistently deliver news, research and analysis to the executives who manage the flow of funds in the institutional investment market.

    About Us

    Main Office
    685 Third Avenue
    Tenth Floor
    New York, NY 10017-4036

    Chicago Office
    130 E. Randolph St.
    Suite 3200
    Chicago, IL 60601

    Contact Us

    Careers at Crain

    About Pensions & Investments

     

    Advertising
    • Media Kit
    • P&I Content Solutions
    • P&I Careers | Post a Job
    • Reprints & Permissions
    Resources
    • Subscribe
    • Newsletters
    • FAQ
    • P&I Research Center
    • Site map
    • Staff Directory
    Legal
    • Privacy Policy
    • Terms and Conditions
    • Privacy Request
    Pensions & Investments
    Copyright © 1996-2022. Crain Communications, Inc. All Rights Reserved.
    • Topics
      • Alternatives
      • Consultants
      • Coronavirus
      • Courts
      • Defined Contribution
      • ESG
      • ETFs
      • Hedge Funds
      • Industry Voices
      • Investing
      • Money Management
      • Opinion
      • Partner Content
      • Pension Funds
      • Private Equity
      • Real Estate
      • Russia-Ukraine War
      • SECURE Act 2.0
      • Special Reports
      • White Papers
    • Rankings & Awards
      • 1,000 Largest Retirement Plans
      • Top-Performing Managers
      • Largest Money Managers
      • DC Money Managers
      • DC Record Keepers
      • Largest Hedge Fund Managers
      • World's Largest Retirement Funds
      • Best Places to Work in Money Management
      • Excellence & Innovation Awards
      • Eddy Awards
    • ETFs
      • Latest ETF News
      • Fund Screener
      • Education Center
      • Equities
      • Fixed Income
      • Commodities
      • Actively Managed
      • Alternatives
      • ESG Rated
    • ESG
      • Latest ESG News
      • The Institutional Investor’s Guide to ESG Investing
      • Climate Change: The Inescapable Opportunity
      • Impact Investing
      • 2022 ESG Investing Conference
      • ESG Rated ETFs
    • Defined Contribution
      • Latest DC News
      • DC Money Manager Rankings
      • DC Record Keeper Rankings
      • Innovations in DC
      • Trends in DC: Focus on Retirement Income
      • 2022 Defined Contribution East Conference
      • 2022 DC Investment Lineup Conference
    • Searches & Hires
      • Latest Searches & Hires News
      • Searches & Hires Database
      • RFPs
    • Performance Data
      • P&I Research Center
      • Earnings Tracker
      • Endowment Returns Tracker
      • Corporate Pension Contribution Tracker
      • Pension Fund Returns Tracker
      • Pension Risk Transfer Database
      • Future of Investments Research Series
      • Charts & Infographics
      • Polls
    • Careers
    • Events
      • View All Conferences
      • View All Webinars
      • 2022 Innovation Investing Conference
      • 2022 Defined Contribution East Conference
      • 2022 ESG Investing Conference
      • 2022 DC Investment Lineup Conference
      • 2022 Alternatives Investing Conference