Compliance July 10, 2019

Vendor Process Reviews Are Crucial to Retirement Plan Cybersecurity

A digital security expert says "the behavioral and human element of data protection is always the most challenging part.”
Reported by
Art by James Yang

Art by James Yang


Patrick Murphy, CEO of John Hancock Retirement Plan Services, says that from his perspective leading a major retirement plan recordkeeper, cybersecurity has grown in the last five or so years to become a top daily concern.

“Cybersecurity is such a critical topic and it will remain so,” he says. “Knowing this, we now participate in one of the groups organized by SPARK that is designed to create best practices and more commonality in the retirement plan industry when it comes to securing and protecting data. We encourage all our colleagues to do the same.”

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

According to Murphy, John Hancock and other firms have begun “constantly sharing the information we learn about the fraudsters and bad actors out there” in the interest of better protecting plan sponsors and participants.

“As we identify the evolving types of cyber criminals that are targeting our space, we make sure that our clients and competitors know what is happening,” Murphy explains. “We have to collaborate like this because the bad actors are not just coming at us as a single organizations. They are making a coordinated attack on our whole industry, and so we need to coordinate our defenses. When we help shut down an attack, we know we have an obligation to help others do the same, for the best interest of participants.”

Murphy says that his firm has embraced a multi-level cybersecurity system that is constantly evolving to meet new threats. He adds that genuine cybersecurity comes from a thoughtful and diligently applied combination of technical security protocols and internal processes built around multi-factor authentication, complemented by an overall organizational approach that also addresses the inevitability of human error.

“The network protection is always important but the behavioral and human element is the most challenging part,” Murphy says. “This is where advanced analytics and what we call active intelligence come into play. Take an example where you have had a participant that has for years logged into their account from the same device around the same time of day. Our systems can detect and monitor that, so that when a login attempt comes from another device from a different time that is outside the individuals’ normal behavior pattern, a red flag immediately goes up. It doesn’t mean this is an attempt at fraud, of course, but it does mean we should take an extra step to verify who is attempting to access our system.”

Sponsors Must Carefully Monitor Vendors

According to Bart McDonough, CEO and Founder of Agio, a managed IT and cybersecurity services provider active in the financial services and health care space, many retirement plan fiduciaries do a lackluster job monitoring the cybersecurity performance of the vendors they work with on a daily basis. In his practice consulting on cybersecurity, McDonough sees a lot of “checking-the-box” behavior when it comes to monitoring vendors. 

“We see people sending detailed spreadsheets asking some pretty advanced cybersecurity questions, and they feel doing this allows them to certify that they did some type of vendor review,” he says. “From our perspective, this kind of exercise is actually a waste of time and energy. We can say from experience it just doesn’t work. Real security is not a check-the-box item—it takes diligence to figure all this out.”

Looking across the financial services landscape, McDonough says, pretty much every provider can do a good job responding to these questionnaires.

“Where the real distinction comes in is when you look at specifically how technology tools and solutions are being used by one firm versus another,” McDonough explains. “Take the use of the very popular Salesforce customer relationship management system. The real security variable is not whether or not you use Salesforce. Rather, the security variable is how well the program is configured, used and maintained. There are 100 Salesforce configuration options that can make the platform more or less secure.”

McDonough says it is common to see organizations playing it fast and loose in their implementation of client services technologies that could be made far more secure. He pointed to the example of one of the largest banks in the world allowing 20 or more employees to share a single set of login credentials in sensitive systems.

“When someone new joined the team, they got the password,” he says. “When someone left the team, the people who stayed behind didn’t change the password. That’s the kind of human element we’re talking about.”

Accidents Are Just as Problematic as Attacks

According to McDonough, many organizations have put cybersecurity contingency plans in place to respond to malicious attacks, but fewer have addressed the fact that as many as half or more of cybersecurity incidents do not involve any bad actors.

“You may or may not be surprised to learn that accidents and non-malicious errors are a major source of cybersecurity incidents in the financial services industry,” he says. “I can think of a client we were working with just recently where an HR associate lost a laptop that had a tremendous amount of sensitive data on it. Everyone is always so focused on the bad actors, but there are so many stories in which the damage is entirely self-inflicted.”

To be clear, the category of “cybersecurity accidents” in this context does not include such incidents where an employee unwittingly opens up a malicious email or link. In such a case the employee does make a mistake, but there is still a bad actor that initiated the potential breach through “phishing” efforts. Rather, cybersecurity accidents are just that—issues that begin with no bad actor or intention of wrongdoing.

“I think it’s helpful to think of the analogy that accidents do far more damage in peoples’ homes each year versus robberies or arsons. The same idea is true in the cybersecurity space,” McDonough says. “It doesn’t take a criminal or a bad actor to be involved for a serious problem to occur.”

Strong Processes Protect Plan Sponsors

Murphy and McDonough agree that cybersecurity is all about process. Process means such things as regularly reviewing the privileged accessing of data and the use of that data across the organization. It means conducting regular reviews of the list of active administrators and their responsibilities and activities. It means tracking ongoing cybersecurity efforts through a detailed security log.

“The cybersecurity threats always evolve, but the attributes of really secure organizations remain the same,” McDonough says. “They enthusiastically embrace the need to conduct penetration testing and the need to train their people about the risks of ‘social engineering’ and other sophisticated phishing efforts. If you think back to all the big headline hacks of recent years, I can think of only one, the Equifax hack, that didn’t start with social engineering that took advantage of the human element. That’s the only one that started with a pure technical hack.”

For its part, to address the human element, Murphy says John Hancock Retirement Plan Services has embedded solutions and analytics systems behind the scenes that are proactively identifying bad behavior that is not actually trying to compromise the network from a technical perspective, for example when a fraudster pretends to be a real participant.

“Overall we’re actually less concerned about a technical breach of our systems than we are concerned about the potential for fraud that exists when participants aren’t practicing good cyber health on their own,” Murphy says. “They may be sharing passwords or using repetitive passwords, or they may have very weak passwords that they never change. For us as providers, advisers or plan sponsors, this situation means we have to be extra vigilant. These types of analytics tools are becoming much more prevalent in the retirement plan industry today, and we’re very happy to see that.”

Compliance July 8, 2019

The Senate Math That Could Block SECURE Act

Senate floor time is at a premium ahead of the 2020 presidential election—so much so that even legislation that passed the House with a near-unanimous bipartisan vote is not guaranteed to become law.
Reported by
Art by Suharu Ogawa

In his position as vice president of strategic communications for the Insured Retirement Institute (IRI), Dan Zielinski spends a lot of time tracking the happenings in Congress.

In recent months, Zielinski has been closely following the progress of the Setting Every Community Up for Retirement Enhancement Act, commonly referred to as the “SECURE Act.” That bill passed the House last month with a practically unanimous vote, and at the time some analysts said they expected very quick Senate passage, perhaps within just a week or two.

Get more!  Sign up for PLANSPONSOR newsletters.

As it turns out, those expectations were overly optimistic, and today the SECURE Act is stalled thanks to several Republican senators, among them Texas’ Ted Cruz and Pennsylvania’s Pat Toomey, placing what are called “holds” on the Senate leadership’s resolution to pass the bill under “unanimous consent.”

Senate mechanics are inherently complicated, but in basic terms, a bill can be passed without the usual process of debate and amendment if the full Senate, with no exceptions, agrees to pass the bill with unanimous consent. All it takes is one Senator to force the bill into the normal route of committee consideration and a full schedule of floor debates and votes.

According to what Zielinski has heard in the halls of the Capitol, Senator Cruz is probably the biggest roadblock to the SECURE Act being passed under unanimous consent. Among other issues, it seems that Senator Cruz is refusing to support the final version of the House bill because it no longer includes a provision that would allow people to use tax-advantaged savings in 529 college savings account to pay for home school expenses.

“We all had our hopes up that this would pass very quickly, but Senator Cruz threw in a hold,” Zielinski says. “We also heard of another Senator, Pat Toomey of Pennsylvania, who may also have put a hold on this, though his rationale has not been made clear as to why. My colleagues will be meeting with his staff in the coming weeks to try to gain more insight on all of this.”

Though he remains optimistic, Zielinski says the path ahead for the SECURE Act is far from clear.

“At this point, Senate floor time is at a real premium,” he explains. “When you have a deep partisan divide in the Senate, the side in the minority tends to want to slow things down as much as possible. This Senate, under majority leader Mitch McConnell, has been very focused on judicial appointments. And even though they have technically lifted the filibuster in that area, the Democrats are still afforded significant debate time for each appointment, something up to like 30 hours. That eats up a lot of the legislative days.”

This fact is why there was great interest in having the Senate do the SECURE Act consideration under unanimous consent.

“But as the name implies, as soon as one person objects, you don’t have unanimous consent anymore,” Zielinski says. “That’s where we are right now. The bill has great support, but it would have to go through regular order. That would mean the bill would have to be scheduled for floor debate, and, remember, at that point Senator Cruz could then debate it to great length. Even if he doesn’t want to do this, there is the potential for amendments, and Senator Cruz would offer some I think. The last thing the Senate wants to do is change the bill and require the House to vote again.”

What Zielinski and others have heard from Senator McConnell’s office is that leadership is working on trying to find a solution to this situation that will get the holds lifted.

“We don’t know what these are, but we imagine it’s something like, ‘If you drop your hold on this bill you can have a chance to address your issues through amendments to a must-pass, upcoming bill.’ We can only speculate at this point, but that’s probably what a solution would come down to, just given the way these things can go,” Zielinski says. “In the end, we do think that the senators with holds will want to go home and talk about this success. Right now we’re in a waiting game that nobody really saw coming, so there weren’t really any contingency plans in place.”

Potentially important to the fate of the SECURE Act is that the legislative session is quickly moving towards the August break, and after that, the presidential election year will already be looming. Furthermore, towards the end of the year, Congress will have to address the federal budget and the debt ceiling, not to mention the ongoing issues at the border. Will the SECURE Act be able to hold Senators’ attention?

According to David Levine, principal at Groom Law Group, there are “lots of different efforts being made in Congress to get these holds lifted,” but it’s not clear at this point that these will be successful.

“It seems that the majority leader is very focused on other issues, so unless these holds come off, the SECURE Act is not likely to come to the floor at this stage,” Levine suggests. “It’s an evolving landscape. Whenever a bill sits, there can be a myriad of reasons, but the longer it waits, the more challenging it becomes to advance, because of the pipeline of other priorities. There’s a lot of effort going on still to try and move this, so there’s still some room for optimism.”

Like Zielinski, Levine says the lack of floor time could prevent SECURE Act’s passage this year, even though the bill has so much support and would clearly pass should a vote actually occur.

“For all the talk about the Senate changing its norms and traditions in recent years, it’s still an institution where one or two members can really slow things down,” Levine says. “Something else to consider is the question of what could happen if SECURE Act fails. Might some of the other retirement-focused legislation jump over the SECURE Act? Right now the train tracks are backed up a little bit and it could come out in a few different ways.”

Among the provisions of the SECURE Act that are potentially most significant for plan sponsors are those that would allow unrelated plan sponsors to band together in pooled employer plans, otherwise known as “open” multiple employer plans (MEPs). Additionally, the bill would change the age participants have to start taking required minimum distributions to 72 and provide a new safe harbor for plan sponsors to select a lifetime income provider in order to offer annuities within their retirement plan.

Not immediately, but over time, with passage of open MEP legislation, experts say plan sponsors would see a significant change in service delivery. Their plan advisers will have to consider different distribution paths while plan providers will experience both innovation and disintermediation.

At the same time, while a variety of in-plan income options have been available for some time, in-plan guaranteed lifetime income solutions are not being used as much as they could, industry experts agree. Fewer than half of plan sponsors offer a retirement income solution as part of their defined contribution plan—typically a 401(k)—and only one-fifth of those offer a guaranteed income product, Prudential says. Other survey data shows sponsors are particularly concerned about the prospect of an annuity provider losing solvency in the future after participant assets have been annuitized—and that the plan sponsor could then again become liable for paying the promised benefit to participants.

«

Close