Administration October 2, 2023

Provider Due Diligence: Key to Avoiding Catastrophic Cyberattacks

The recent MOVEit breach highlighted the need for plan sponsors to carefully vet service providers in order to protect participants’ assets, data and personal information.

Reported by
Art by Anja Susanj

With the increased frequency of cyberattacks, including within the retirement industry, plan sponsors have a fiduciary responsibility to ensure that providers with whom their plans are working are taking cybersecurity seriously.

The recent breach of the encrypted file transfer software program MOVEit, which exposed the personal information of participants via financial firms, universities, the U.S. federal government and the California public retirement systems, brought to light the far-reaching implications of a data breach, even though it occurred at a vendor, rather than a plan sponsor.

Get more!  Sign up for PLANSPONSOR newsletters.

It also emphasized the importance of conducting in-depth requests for proposals, as well as annual due diligence, when considering plan vendors. In the MOVEit case, class action lawsuits have been filed against companies due to breaches suffered by servers run by other companies. Incidents can affect plan sponsors, even when they occur several layers of business away from the plan sponsor itself.

Screening for Cybersecurity in the RFP

Robert Massa, managing director at Qualified Plan Advisors, says the RFP process is crucial and that plan sponsors should be asking a series of questions to ensure a vendor’s cybersecurity practices are up to par. A vendor in this context could be an adviser, recordkeeper, custodian or any type of service provider.

In the RFP template Massa provides to his clients, it first asks any vendor to detail its firm’s policies, procedures and data encryption. This includes tools that the vendor uses to prevent unauthorized access, fraud, theft and misuse.  

Massa says he also asks vendors if they have ever experienced a breach and, if so, how they handled it. He says vendors sometimes do not want to answer that question, but plan sponsors have a fiduciary responsibility to know what has happened.

“No one should be embarrassed about the fact that they’ve been breached at this point,” Massa says. “It’s more a question of how you handle it than it is the fact that you got hacked. … You want to know what [the vendor’s] processes and procedures are for dealing these threats and protecting that personal, identifiable information.”

For example, Massa says a plan sponsor needs to know how data is stored and how data is received, especially because the sponsor regularly needs to transfer a payroll file that contains names, Social Security numbers, dates of birth, addresses, income numbers and more.

“There’s so much information in there that is critical, and you want to make sure that that data is protected both in transit and once it’s encrypted,” Massa says.

Another consideration that can be screened for in the RFP process is how a vendor deals with a participant who terminates employment and how their access to their payroll account, for example, is deactivated.

“It’s painful, but you’ve got to look at the SOC reports,” Massa says, referring to services organization controls reports. “You’ve got to be willing to roll up your sleeves and look at these audit reports and see what [a vendor’s] third-party auditors have said about their controls.”

A SOC report is governed by the American Institute of Certified Public Accountants and focuses on offering assurance that the controls put in place by service organizations to protect their clients’ assets (data, in most cases) are effective. There are several types of SOC reports, but plan sponsors should mainly be aware of SOC 1 and SOC 2 reports.

A SOC 1 focuses on outsourced services performed by service organizations that are relevant to a company’s financial reporting. A SOC 2 focuses more on operational risks of outsourcing third parties outside of financial reporting.

Paul Catenacci, senior partner in and head of the employee benefits practice group at Novara Law, says some providers will push back when asked about cybersecurity practices and may even ask the sponsor to sign a nondisclosure agreement in order to receive the information.

“On the provider side, they’ve got some legitimate concerns too,” Catenacci says. “They don’t necessarily want to publicize their security protocols. Some are saying [they] don’t want to reveal how much insurance [they] carry, because [they] don’t want to be a ransomware target [if] somebody knows [they] have a $30 million insurance policy.”

But Catenacci emphasizes that the Department of Labor expects employers to make prudent decisions when hiring service providers and that the vendor-vetting process should be well-documented.

“Plan sponsors need to be practical about this and [say], ‘Let’s weigh the costs and benefits,’” Catenacci says. “Certainly it’s a risk we need to manage, but not a risk we can manage in a vacuum.”

He suggests that a plan sponsor could have an IT focus group that helps with vetting service providers, as well as a cybersecurity expert that sits on the plan’s fiduciary committee—if they can afford it.

The Importance of Cybersecurity Insurance

Jon Meyer, chief technology officer at CAPTRUST, says it is crucial for plan sponsors, as well as any suppliers to the plan that process confidential information, to have cyber risk insurance.

“In addition to the financial coverage that cyber insurance can provide, it can also provide a team of really sophisticated experts who can assist any organization experiencing a breach, ranging from forensic information security personnel to lawyers [and] breach and mediation firms that have the scale and the capacity to contact consumers and support them with call centers,” Meyer says.

Allison Brecher, Vestwell’s general counsel and chief privacy officer, said plan sponsors should be aware that there has been a “sea change” in the cybersecurity insurance market since the start of the pandemic.

“Carriers are raising premiums and deductibles and, for some companies, dropping coverage altogether,” Brecher said in an emailed statement. “Plan sponsors should make sure that the service providers’ coverage levels, as well as the deductibles, are appropriate.”

Massa adds that a plan sponsor should ask vendors about their insurance coverage, and he says vendors should be candid about their errors and omissions policy, cyber policy and their access to protection in case of a breach.

Know Your Provider’s Provider

At the very least, Massa says a plan sponsor should ask vendors if the vendor uses any third-party subcontractors.

Hypothetically, a sponsor’s recordkeeper or third-party administrator could share a company’s data with an outsourced provider located outside the U.S. Massa says there is nothing illegal about outsourcing information, but the sponsor needs to know what is being done with that data before making a decision.

A sponsor may know that a vendor sends information to a company in Thailand, for example. If that company gets hacked, Massa says the sponsors needs to know how their employees will be protected against that breach.

“[The plan sponsor] is responsible for selecting that vendor and all the decisions that vendor makes,” Massa says. “Not asking the question and not doing due diligence is absolutely a problem.”

As seen with the MOVEit breach, Meyer explains that attackers are interested in getting into software products used across multiple organizations. If a sponsor hears about a major cyber breach, Meyer recommends they reach out to their vendors and ask if they were affected or if their suppliers were affected.

“Nobody can guarantee with certainty that everything they do is immune from that kind of exploitation,” Meyer says. “But what everybody can do is be really good at knowing their supplier.”

Part of a sponsor’s annual due diligence should include asking vendors follow-up questions, such as if they use any services like MOVEit and what their exposure is.

Educating Participants

As the Department of Labor explained in its cybersecurity best practices, plans need strong control procedures, guaranteeing that any system users are who they claim to be and that only appropriate parties can access IT systems and data.

Brecher said when a bad actor gets access to a plan participant’s login credentials through personal or work email, the bad actor will often log into the participant’s retirement plan account and take a distribution.

“These ‘account takeovers,’ as they are called, have little to do with the service provider, and carriers are routinely denying coverage for that type of loss,” Brecher said. “The best defense is a good offense, and plan sponsors should always be reviewing and reminding their own employees about [the] online security of their accounts, checking their statements regularly and immediately reporting any suspicious activities.”

Meyer says many breaches can be avoided by having multi-factor authentication in place. He says having passwordless security, which might address issues of fraud on the individual participant level, would be less secure than multi-factor authentication. With passwordless security, a participant is emailed a one-time password to use. Because multi-factor requires two steps of verification—a password and then a code—Meyer argues it is more secure.

Telling employees to create complex passwords and putting multi-factor security in place, Massa says, makes it more difficult for hackers to infiltrate accounts and provides an extra layer of protection in case of a breach.

Administration October 2, 2023

What’s at Risk in a Cyberattack on a DC Plan?

For protecting defined contribution plans, the stakes are high, with workers’ information—and trust—on the line.

Reported by
Art by Anja Susanj

Every organization working with a defined contribution plan shares the responsibility for protecting from cyberattack the data, reputation, trust and $10.2 trillion of accumulated assets in retirement plans. Safeguarding DC plans from digital security issues does not end with ensuring criminals do not steal workers’ nest eggs, explains Gregg Levinson, senior director for retirement at WTW.

“The risk is substantial: It is the integrity of the defined contribution system, broadly,” he says. “For vendors, it is their own integrity [and the] ability to protect their assets and their business model, [whereas] for employers, it is being able to also protect their employee assets and their employee relations.”

Get more!  Sign up for PLANSPONSOR newsletters.

The risks were highlighted this year when a breach of the encrypted file transfer software program MOVEit, owned by Progress Software Corp., hit financial firms, including asset managers and retirement plan recordkeepers, universities, the U.S. federal government and California public retirement systems. Related litigation against several of the affected firms remains pending, and additional vulnerabilities of Progress Software products continue to come to light.

For corporate business leaders, guarding against online threats is—for the ninth straight year—among the top three business concerns for leaders. Some 58% of 1,200 representatives of companies of all sizes worry some or a great deal about cyber risks, ranking vulnerability to attack just below medical cost inflation (60%) and broad economic uncertainty (59%), found the 2023 Travelers Risk Index, published on September 26.

Overall cyberattack statistics demonstrate that risks and concerns go well beyond the workplace. Computers of are infected with malicious software; 47% of U.S. adults have had personal information exposed by cybercriminals; and the Facebook accounts of 600,000 individuals are hacked every single day, according to data from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

What Is at Stake?

The risks can affect any organization. In addition to private employers, public sector employers and their retirement plans also grapple with a broad variety of digital risks to the accumulated retirement plan assets held by state and local government employees, says Matthew Petersen, executive director of the National Association of Government Defined Contribution Administrators.

“What’s at risk is really as broad as the different types of attacks that are out there, and they do run the gamut: from actually taking money out of an account to getting personally identifiable information and passwords that you could use to trade on the dark web or access other types of accounts,” Petersen says. “The risk is broad; the risk is hard to measure. It can touch any aspect of the organization and any aspect of the [DC] plan.”

More than half of business leaders surveyed by Travelers say it is inevitable their business will be a victim of a cyberattack. Allison Itami, a principal in Groom Law Group, says the risk for plan sponsors ranges widely.

“The data is at risk, assets are at risk, the reputation of the plan sponsor can be at risk or [that of] the service provider,” she says. “Also, fundamentally, the trust or the goodwill and the relationship can be at risk: There is a lot on the line if somebody were to lose access to their retirement savings.”

Protection Plan

Defined contribution plans can bolster their own support systems by committing to specific obligations. For cyber-risk oversight, writing the process into the plan charter is important, Levinson explains.

“Smart practice, and what we advise clients on, is to incorporate cybersecurity into [the] fiduciary oversight model and make sure [DC plans are] following key steps both from a process standpoint, an IT standpoint and [down the line],” he says. “But it is not just an HR issue. It is an IT issue, it is a business issue, it is a communications issue.”

For DC plan sponsors, incorporating cybersecurity response processes into the plan’s governing documents is the most important facet of cybersecurity oversight, should a breach occur, Levinson says, adding that WTW recommends plan sponsors have their own cyber policy similar to an investment or compliance policy.

Protecting the DC plan is a multi-pronged process, but “it starts with retirement plan committee awareness,” says Larry Crocker, founder and CEO of Fiduciary Consulting Group Inc. “One of the things that is recommended [for DC plans] is IT being involved in committees; if not a member of the committee, then at least periodically attending the committee and becoming a part of the [retirement plan] review process,.”

Participants are also responsible for taking cybersecurity seriously and observing proper protocols to maintain diligent systems.   

Notwithstanding “all the great systems in place, if an employee gets phished and clicks on it, [the systems do] not matter,” Levinson explains. “It all falls apart.”

Education is key to supporting the efficacy of government and corporate systems put in place, adds Levinson. “[DC plans] have to put a lot of systems and processes in place and have employees [who are often also plan participants] be vigilant against it; all have to work together to make it work,” he says.

Essential Stress Testing

Corporate and government plan sponsors should also explore mitigating the risk of cyberattack by stress testing plans in transactional audits, notes Levinson.

He explains that transactional auditing involves running through a transaction and, if there is an incident, noting what steps the provider will take, what steps the organization is going to take and how they match up with each other?

“It is a hypothetical: If an incident were to happen, what happens? Making sure that you as the plan sponsor are satisfied with your vendors’ response times, their answers to your questions—all those things—so that if something happens, you know what is going to happen and you are satisfied with what is going to happen,” he explains.

Stress testing the DC plan, with an audit of transactions “should be part of the committee’s responsibility,” adds Crocker.

Plan sponsors should consult the guidance of the Department of Labor’s 2021 cybersecurity best practices as a good place to begin, adds Levinson. Using the DOL guidance to educate participants also makes sense, according to Groom’s Itami.

Vulnerabilities

Examining a plan sponsor’s digital vulnerability will expose conditions that mitigate or exacerbate the risks, according to Crocker. The plan sponsor should execute its oversight responsibility by stress testing the plan recordkeeper periodically, he says.

“The risk is generally around the recordkeeper and having the employees’ accounts hacked or it’s to the recordkeeper and the employer with fraudulent distributions,” says Crocker. “That is the hub, [because] that is where the participants’ accounts reside.“

But the entire chain of cyberattack prevention and protection is only as strong or weak as each link, Petersen explains.  

“Anywhere in the chain of custody of information, there is vulnerability,” he says. “Whether you are talking about the end user—the person actually trying to access their account—whether you are talking about the administrator themselves, whether you are talking about a party who is connected to the administrator through software, there are really any number of vulnerabilities throughout the system.” 

Implementing, maintaining and reminding every partner to a DC retirement plan and participants themselves to observe “good cyber hygiene” remains critical, Petersen adds.  

“It is why we all do the training; it is why almost every government has some sort of cybersecurity training for the people who are touching the system to be able to use,” he explains. “It is really vigilance at all levels.”

«