Asset owner cybersecurity in crosshairs amid threats

Plan sponsors are paying more attention to cybersecurity as threats continue to evolve and the Department of Labor investigates cybersecurity procedures.

"We're seeing more threats and increased complexity in threats and so it has become a growing focus for us over the years," said Michael J. Colleran, chief operating officer and general counsel at Maine Public Employees Retirement System, Augusta.

The $18.7 billion pension fund has had an external cybersecurity vendor — now Tyler Technologies Inc. — for about 11 years, Mr. Colleran said. The fund pays close to $300,000 annually, including $140,000 to Tyler Technologies and roughly the same to Presidio Networked Solutions LLC, its managed services provider, to safeguard plan assets and information of its more than 150,000 retirees and beneficiaries, Mr. Colleran added.

MainePERS interacts with Tyler Tech- nologies daily and receives system monitoring, training, penetration testing and vulnerability assessments, according to Mr. Colleran. "That gives us access to expertise that stays current on threats and the best practices for protecting against those threats," he added. "That would be something that would be very difficult, if not impossible, for us to maintain in-house." The pension fund also has an in-house IT team that includes a security analyst, he added.

On the defined contribution side, attention paid to cybersecurity among plan sponsors has increased over the last year, due in large part to Department of Labor guidance issued in April 2021, sources said. The guidance covered all ERISA-covered plans, but especially satisfied a need among DC plan sponsors for how to handle their cybersecurity responsibilities.

"The plan sponsor community writ large was hungry for this guidance and largely acted immediately to implement it in the majority of cases," said Ben Taylor, Los Angeles-based senior vice president and head of tax-exempt DC research at Callan LLC.

Following a February 2021 report from the Government Accountability Office with tailored cybersecurity recommendations, the Labor Department unveiled a three-piece guidance package detailing best practices for maintaining cybersecurity for plan sponsors, plan fiduciaries, record keepers and plan participants. It marked the first time the Labor Department's Employee Benefits Security Administration issued cybersecurity guidance.

The first piece of guidance included tips for plan sponsors and fiduciaries on how to select a service provider with strong cybersecurity practices and how to monitor its activities. The tips include asking whether the service provider has experienced past security breaches, what happened and how the service provider responded, and making sure any contract with a service provider requires ongoing compliance with cybersecurity and information security standards.

The second piece of guidance was a list of 12 cybersecurity program best practices for plan sponsors and record keepers, such as having a reliable annual third-party audit of security controls and ensuring that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.

The final piece was a set of online security tips for plan participants and beneficiaries when accessing a retirement account.

The Labor Department guidance "didn't necessarily break new ground, but it put a helpful baseline out there for the industry," said Dennis Simmons, executive director for the Committee on Investment of Employee Benefit Assets in Washington, whose 115 members are asset owners with more than $2 trillion of defined benefit and defined contribution plan assets.

Amy Reynolds, Richmond, Va.-based, partner and senior retirement consultant, defined contribution plans, at Mercer LLC, said the guidance was helpful in that it gave plan sponsors the clear indication that cybersecurity was an area on which they need to focus. "Not that they were oblivious to it in the past, but this has heightened focus on this issue," she said.

Following the publication of the guidance, cybersecurity audits are now a routine part of the Labor Department's investigative work, said Ali Khawar, acting assistant secretary of the agency's Employee Benefits Security Administration, in an email to Pensions & Investments.

The Labor Department does not want to make "blanket statements about the industry's preparedness based solely on the plans that we have audited," Mr. Khawar said. "It is fair to say, however, that based upon our experience, there are significant vulnerabilities. Those plans we have investigated have shown interest in improving their cybersecurity and implementing the principles set out in the department's guidance."

David Kaleda, a Washington-based principal at Groom Law Group, has had clients' cybersecurity practices investigated as part of routine probes by the Labor Department. When asking about a plan's cybersecurity procedures, Mr. Kaleda said the department's questions are "clearly gleaned from the guidance, so they're just kind of using it as a checklist, effectively, in their investigations."

Mr. Kaleda added, "The DOL was trying to make it clear that plans, plan sponsors and their service providers need to look at this, and I think the retirement business community has gotten the message and is definitely looking at it."

If the Labor Department finds cybersecurity deficiencies, it will require the plan sponsor or service providers to rectify the issue, Mr. Kaleda said. If the department believes that a participant incurred a loss, such as if an account balance was stolen due to the plan's poor policies and procedures, it likely would require restoration of the loss. It could impose a penalty on the plan in the event of a fiduciary breach resulting in a loss, he added.

The Labor Department guidance aligns closely with the SPARK Institute's standards, said Tim Rouse, Simsbury, Conn.-based executive director at SPARK, which represents retirement industry players such as record keepers, investment advisers, mutual fund companies and benefit consulting firms.

SPARK formed the Data Security Oversight Board, composed of industry stakeholders, that published a set of cybersecurity best practice standards in 2017.

Mr. Rouse said he expects the Labor Department to issue additional guidance and is hopeful fraud prevention is an area of focus.

Callan's Mr. Taylor, vice chairman of SPARK's Data Security Oversight Board, said the current guidance is an excellent starting point but "not an endpoint by any stretch."

Mr. Khawar said several times publicly that the 2021 guidance will not be the end of the department's work in the cybersecurity arena. When asked if further guidance or a rule-making initiative was possible, Mr. Khawar said in the email, "We may issue additional guidance in the future relating to topics and plans not specifically discussed in the guidance documents."

He added, "ERISA-covered plans hold trillions of dollars in assets and the personal data of more than 150 million American workers and their dependents. Without strong cybersecurity practices, these retirement assets and personal data are at risk. Unfortunately, plans are not immune from the same sort of cybercrimes that we have seen in so many other contexts."

Although many companies have spent more time and money on cybersecurity in recent years, "It's clear that these cybercriminals are pretty crafty, they use a combination of methods and you always have to be on your guard as a fiduciary or a service provider," Mr. Kaleda said.

Many bad actors in the cybersphere turned their attention to defrauding pandemic unemployment systems because it was easier than getting data or money from a retirement plan, Mr. Taylor said. Now, with the cessation of the pandemic-era economic programs and the continued work-from-home environment, there's been a rise in ransomware attacks attempting to steal retirement plan assets and information, Mr. Taylor added. "People are using personal devices to connect to the workplace, (so) there's a lot of sensitive information which is being exchanged in less secure environments than would otherwise be ideal," he said, noting a potential target for bad actors.

Also, with Russia's invasion of Ukraine, "this is a potentially fragile time for cybersecurity," Mr. Taylor said, noting Russia's history with cyberattacks.

And given the evolving and persistent cyberthreats, cyber insurance for retirement plans is rising, but prices vary, Mr. Taylor added. "Given that the services themselves are evolving, as is the size and magnitude of the threat, the prices themselves are fairly dynamic," he noted.

Some DC plan sponsors are looking to hire additional service providers to handle their cybersecurity needs in light of the Labor Department guidance.

Mercer's Ms. Reynolds said some organizations have found "they lack the internal expertise, or their internal resources are stretched (and) are turning to third parties to assist them in this space. As a result, they may be incurring costs that they hadn't previously."

Jay Gepfert, Norwalk, Conn.-based president of The Culpepper Group LLC, a third-party service provider RFP manager for DB and DB plan sponsors and endowments, is assisting plans in hiring cybersecurity audit companies.

On one cybersecurity audit RFP, Mr. Gepfert said the highest bid was five times greater than the lowest bid. "I think the audit companies are trying to figure out what the market will bear," he added.

Mr. Gepfert said plan sponsors are better off paying for a reliable third-party audit of their cyber controls in order to comply with the Labor Department guidance. "This is not a DIY project," he said, and speculated that the "next wave of litigation is going to come on the cybersecurity side."

Mr. Kaleda said there is litigation risk with respect to cybersecurity and plan sponsors. "This litigation will involve the loss of benefits as a result of cyber-enabled fraud," he said. "I think the plaintiffs' lawyers and the courts are trying to figure out how to apply the law in these circumstances."

The increased focus on retirement plan cybersecurity is unlikely to dip in this environment, sources said.

"It's an issue you feel you may never necessarily outrun the bad guys," CIEBA's Mr. Simmons said. "So there's constant vigilance and I don't see that changing."