How To Protect Retirement Plans From Cyber Criminals
April 8, 2020
Editor’s note: The COVID-19 global pandemic has urged companies around the world to focus their attention on providing for the health and safety of their employees and preparing their organizations for a period of disruption. On top of our regular articles examining the longer-term issues and trends impacting organizations, The One Brief will also bring our readers insights into the current situation.
Cyber criminals are constantly looking for new targets. Banks have ratcheted up their cyber defenses, making it tougher for cyber criminals to breach their systems, so hackers have begun targeting retirement plans.
In addition to the money at stake, retirement plans also hold a wealth of personal data. That data are very desirable targets for some hackers. On top of that, any data breach can put companies – and their officers, who act as fiduciaries for their retirement plans – at risk in what’s proving to be an increasingly litigious environment.
This trend is concerning for plan sponsors, who must fulfill a strict set of fiduciary responsibilities – particularly when it comes to prudent handling and protection of plan assets. Digital features like online access to funds and records make these duties much more challenging.
According to Aon’s 2020 Cyber Security Risk Report, organizations often have a false sense of confidence regarding data security – particularly when it comes to the risks potentially posed by third-party service providers. Indeed, Aon’s 2019 Global Pension Risk Survey found that almost one-quarter of U.K. pension-schemes’ trustees had no training in addressing cyber risks.
But while plan sponsors are responsible for protecting plan assets and information – even when outsourcing plan administration – cyber security training can be inconsistent among sponsors and the companies to which they outsource.
“The way forward is through clear understanding of roles to ensure cyber security savviness across partners – and document, document, document,” says Stephanie Snyder, commercial strategy leader of cyber solutions at Aon.
Retirement plan sponsors’ fiduciary obligations, to prudently protect all plan assets and data, also apply when it comes to engaging third-party providers that can have access to plan data (such as record keepers and actuaries). However, employing those third parties can complicate organizations’ understanding of their fiduciary responsibilities.
In the U.S., the Employee Retirement Income Security Act of 1974 (ERISA) imposes fiduciary duties on plan administrators. In its 2016 report focused on cyber risks, the ERISA Advisory Council on Employee Welfare and Pension Benefit Plans asked the U.S. Department of Labor to require that plan sponsors be familiar with security frameworks to protect retirement plan data.
Plan participants’ assets can also be at risk, and fraudulent access to those funds can similarly call into question whether plan sponsors have adequately met their fiduciary responsibilities. In one case, $2.6 million was taken through unauthorized loans from the accounts of 58 participants in a U.S. municipal retirement plan.
A recent report from advisory firm Crowe and the University of Portsmouth estimated fraud losses to U.K. pension funds at more than £6 billion ($7.4 billion), with growing identity fraud and cyber crime adding risk to those plans.
Understanding Fiduciary Roles And Responsibilities
Retirement plan sponsors must understand their fiduciary responsibilities regarding cyber risks, identify cyber security gaps and take steps to address them. Understanding what constitutes prudent behavior in exercising those responsibilities can be challenging: ERISA does not define which fiduciary safeguards may be appropriate, and what is reasonable heavily depends on a particular employer’s circumstances.
By comparison, the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides an outline of what organizations must do to protect health information, according to Thomas Meagher, senior partner and leader of legal consulting and compliance at Aon. “There’s no similar body of law or regulatory guidance for safeguarding retirement plan information,” he says. “The question is, what is prudent? It can vary from company to company.”
What becomes important, continues Meagher, is for plan sponsors and their plan fiduciaries to document their efforts to safeguard retirement plan data, demonstrating that their actions are prudent given the circumstances.
It’s also important to keep accountability in mind. “Even when plan sponsors outsource activities like record keeping, they don’t transfer their fiduciary responsibility,” adds Robert Wilen, senior partner, retirement solutions at Aon. “Leading plan sponsors define, document and role model their definition of prudent behaviors and make their best efforts to ensure their service providers do the same.”
“It’s in the best interest of all parties to build better cyber practices across the ecosystem of providers,” notes Snyder.
Reducing Cyber Risk Across An Ecosystem
Addressing the cyber risks facing retirement plans requires working across the organization and the retirement ecosystem. And that means bringing together risk, technology, legal and human resources teams, along with plan fiduciaries.
“The intersection of retirement funds and technology has created a gray area in many respects,” says Wilen. “This responsibility crosses IT, finance and HR silos. It needs these groups to work together – and it takes diplomacy to rally them around a common set of standards.”
Aon’s 2020 Cyber Security Risk Report outlines several steps retirement plan sponsors can take to help protect plan assets and data, as well as their own firms.
Gap assessment: Determine both the vulnerabilities and the protections in place, such as security governance, business operations security and other controls affecting retirement plan data. This includes evaluating the physical, administrative and technical safeguards, along with the security of third parties that have access to plan assets and data.
Risk mitigation plan: Once security gaps are identified, develop and implement a risk mitigation plan and an incident response readiness plan. While an organization might have data breach protocols in place, it needs to ensure that those protocols still consider the fiduciary committee. Plan sponsors should document details about the risk mitigation plan and the steps they are taking to reduce exposure to breaches.
Risk responsibility and risk transfer options: Finally, consider risk responsibility and risk transfer options. Agreements with third-party service providers should include detailed specifications for asset and data security, as well as methods to shift losses to service providers where appropriate. Cyber insurance, fiduciary liability insurance and crime insurance might be available to transfer a portion of risk and indemnify the company.
Employee and fiduciary committee training is a constant consideration. Firms need to ask themselves, for example, whether their organization is up to speed on the latest phishing scams that could endanger accounts.
“While hacking is a threat, social engineering continues to be a top method for cyber attacks,” Snyder observes. Plan sponsors should take steps to educate retirement account owners on basic cyber security awareness.
Protecting Data And Assets – Paramount For Plan Sponsors And Their Fiduciaries
Ultimately, plan sponsors and their plan fiduciaries are looking to protect plan assets and data, protect participants and protect themselves against litigation if a breach occurs. Process and documentation are essential elements of building that protection.
“In the retirement savings world today we’re seeing a lot of emphasis on diversifying assets and evaluating the prudence of various investment strategies,” says Meagher. “It’s the same now with protecting plan data. Diversify resources. Bring in any necessary expertise to evaluate data security safeguards from the plan fiduciary’s perspective. Build the record to show that you’ve taken the steps to protect data and hold partners to the same high standards.”