Plan Security Relies on Vetting 3rd-Party Providers

Retirement plan recordkeepers’ increasing reliance on third-party vendors for various administrative services and tools poses a challenge for plan sponsors who need to vet these vendors, especially as many have been exposed to cybersecurity breaches in the past year.

To protect participant data and personal information, plan sponsors should be aware of the subcontractors with which their recordkeepers work, of which have access to participant data, and of how to respond to a breach when one occurs.

When Infosys McCamish Systems LLC suffered an external system breach last year, major recordkeepers and insurance companies like T. Rowe Price, Vanguard and Principal Life Insurance Co. were impacted. More than 6 million people had their Social Security numbers, email address, usernames and passwords, drivers’ licenses and passport information exposed.

In a more recent incident, multiple clients of CBIZ Inc.’s benefits and insurance services were affected by a June breach that leaked the personal information retired employees at CBIZ clients.

The Department of Labor issued updated cybersecurity guidance last month for ERISA-covered employee retirement benefit plans and health and welfare plans. Lisa Gomez, assistant secretary of Labor in charge of the Employee Benefits Security Administration, said in a statement that all plans covered by the Employee Retirement Income Security Act need to implement “appropriate best practices” to help protect participants and their beneficiaries from cybercrime and emerging threats.

The updated guidance included tips for plan sponsors and fiduciaries when hiring a service provider. For example, the DOL recommended that plan sponsors compare their service provider’s information security standards, practices and policies, and audit results to industry standards adopted by other financial or health institutions.

Jon Meyer, the chief technology officer at CAPTRUST, says it is important for plan sponsors to fully implement the DOL guidance.

“Ideally, if you’re vetting your recordkeeper, which is probably a large company, they are going to be able to tell you how they are vetting all of their suppliers,” Meyer says. “In turn, you’re going to be able to get a little more confident that they have made efforts to make sure that they are not entrusting key data to suppliers who are not worthy of dealing with that data.”

Asking the Right Questions

Kristine Sciangula, a retirement plan administrator for the defined benefit and defined contribution plans run by Suffolk County, New York, says her plan’s contract with its recordkeeper, T. Rowe Price, explicitly states that T. Rowe Price cannot delegate the “material duties” under the agreement to any other entity without the plan’s consent.

The Suffolk County plan also includes certain requirements for approved subcontractors, such as providing insurance certificates, stock audit reports and information security policies.

Sciangula says three of the third-party vendors used by the plan’s recordkeeper have experienced breaches—including check mailing company R.R. Donnelley; PBI Research Services, which searches for missing participants; and Infosys McCamish. According to Sciangula, T. Rowe Price made it clear that the Suffolk County plan was not specifically impacted by these breaches, as there is no proof of participant information being obtained.

Sciangula says one issue she has come across is that some recordkeepers do not consider all providers to be “third-party subcontractors.”

“Because of the fact that [recordkeepers] don’t call all these [providers] ‘subcontractors,’ this year when we did our RFP, we changed our questions to specifically ask about vendors and other companies being used,” Sciangula says.

Instead of using the term “subcontractors,” Sciangula says the request for proposal asked broader questions, such as the names of the companies being used, the locations where services would be performed and the qualifications of each company the recordkeeper intended to involve in any way.

Some recordkeepers did not answer those questions, Sciangula found. Many responded that they used third-party providers but did not name the company or detail the services they provide.

Meyer says if a provider cannot answer certain questions or is unable to complete an assessment, it should raise a red flag.

“If I went to a supplier, say a high-volume printing supplier, and they don’t have an information security team, or they really don’t know how to answer the questions on a shared assessment, I would be a little suspect,” Meyer says. “I would be concerned that they don’t have professionals engaged, in the same way that [you would] if you brought your car to the mechanic and he didn’t have any wrenches.”

Sciangula says her plan’s RFP also asked recordkeepers if they agreed not to sell or make available any participant information without the plan’s consent, as well as if any of the recordkeepers’ subcontractors or vendors had experienced a data breach in the last five years. If they had experienced a breach, the RFP asked for an explanation and detailed outcome. Again, she says some recordkeepers did not answer the last question.

Contract Terms

Sciangula says her plan’s contract with its recordkeeper details which companies would have access to participant information, and the recordkeeper should agree it is responsible for the security of information in its systems, as well as of any information provided or managed by a contractor. She says the plan creates a new contract every five years, but sometimes during that contract period, a recordkeeper may get a new vendor.

“We’ve requested meetings before to discuss what information would be given to the [vendor] and how would that information be transmitted and secured,” Sciangula says. “We’ve brought in our IT people and their IT people to explain how the data is transmitted and how often it is purged or deleted.”

Once, Sciangula says, the plan was able to opt out of using a particular vendor because it allowed a third party to unnecessarily have access to participant data.

“Having another company to worry about having our information just wasn’t worth it,” she says.

The ability to opt out of using a service provider is unusual, but Sciangula says her plan is extremely focused on knowing which companies are involved and understanding the information to which those companies have access.

Red Flags

Meyer adds that it is imperative for plan sponsors to understand who is liable if a data breach occurs, as well as who will notify participants and deal with calls from those impacted.

Prior to contracting with a supplier, Meyer says a plan sponsor should understand the process for managing communications if a breach occurs and who is contractually responsible for costs associated with it.

Veronica Bray, a 401(k) and 403(b) service provider search consultant who owns Retirement Plan Advisor Search in High Point, North Carolina, says she has found that some advisers are not forthcoming about their cybersecurity practices.

“Sometimes [advisers] will say that they don’t have any participant data or plan data, or they don’t receive any personally identifiable information, and they’ll just kind of paint over it,” Bray says. “That’s something that would be a red flag to me—if they’re not willing to go into detail about what their cybersecurity policies and protocols are.”

She says she likes to see that advisers and recordkeepers are testing their controls to make sure employees are not clicking on suspicious emails, as well as training their employees about safe cybersecurity practices.

In addition, Bray specifically asks in an RFP if a recordkeeper works with third-party service providers for rollover services, student loan repayment services, financial wellness services or any other types of services outside the plan. She then requires the recordkeeper to provide the names of these organizations, along with their digital policies and procedures.

Meyer says that in many recent breaches, criminals have attacked a piece of software “hidden in the bowels” of IT organizations that may be unknown to most staffers, yet transports significant critical data.

“I think [when] the software itself has some kind of hidden vulnerability that nobody knows about until after a lot of data has been stolen … it’s super hard to guard against,” Meyer says. Breaches are “inevitable, because everybody’s running some piece of software that they didn’t write, that they’re relying on somebody else to have fully vetted and tested. At the end of the day, it’s really hard to do that with perfection constantly.”

Nevertheless, fiduciaries need to do their due diligence when vetting providers. Meyer recommends two different approaches when vetting providers. One is requesting a SOC 2 Type II report: a third-party audit that assesses a company’s internal controls and systems related to security, processing integrity, confidentiality and privacy of customer data over a period of time. The reports are based on the American Institute of Certified Public Accountants’ trust service criteria and apply to any business handling sensitive customer information.

An alternative to the SOC 2 Type II report is to conduct a shares assessment, which uses a 1,000-item questionnaire about the supplier’s processes. Meyer says working with a specialist or an ERISA attorney is helpful when conducting vendor reviews.