Protecting defined contribution plans and participants from computer hacking attacks requires a mixture of technical skills, fine- print reading of contracts and some necessary trade-offs between consumer comfort and plan protection.
Those three themes were highlighted Monday during a panel discussion on cybersecurity at Pensions & Investments' annual West Coast Defined Contribution Conference, in San Diego.
"There has to be a balancing act between security and customer service," said Keith Overly executive director of the $13.4 billion Ohio Public Employees Deferred Compensation Program.
Plan sponsors face a dilemma of tightening security, added Margaret Daun, chief corporation counsel for Milwaukee County. Easy access for participants increases the risk of cyberattacks, but stricter controls could dissuade employees from using a plan's web-based entry point, she said.
"What is the appropriate balance?" she asked.
Ms. Daun noted Milwaukee County uses multiple tools to thwart hacking such as conducting third-party reviews of plans covering audits, vulnerability scans and testing for firewall breaches.
She also counseled sponsors who are considering or who have purchased cyber insurance: As with entering into any contract, read the fine print.
For example, she asked: Is the insurance capped at a certain amount? Does the insurance cover cyberattacks against individuals, or the plan members in aggregate? What are the deductibles? What is the cost of credit monitoring and/or the cost of notification of cyberattacks? If a cyberattack is caused in part by a user's negligence, who decides and who pays?
Tim Rouse, executive director of the SPARK Institute, said service providers still are wrestling with the exact definition of a computer breach — an important consideration in establishing protection protocols and insurance coverage.
The trade association's oversight board is working on a definition to provide "meaningful" information to avoid having executives responding to minor incidents and alerts that pile up, creating a form of technological white noise, he said. "We don't have a good definition of one now," Mr. Rouse said.
The SPARK Institute represents primarily record keepers but the trade association also counts as members mutual fund companies, advisers, brokerage firms, insurers, banks, consultants, trade clearing firms and investment managers.