Compliance December 22, 2022

Not a Cybersecurity Expert? No Problem

Standardized processes can help plans identify vendors who excel at providing data protection for the retirement industry.

Reported by
Art by Jam Dong

In April 2021, the Department of Labor’s Employee Benefits Security Administration issued “Tips for Hiring a Service Provider with Strong Cybersecurity Practices.” The publication provided guidance on cybersecurity best practices to “help business owners and fiduciaries meet their responsibilities under ERISA to prudently select and monitor such service providers.”

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

Implementing the tips’ high-level guidance can create several challenges. For example, the first tip tells sponsors to ask vendors about their audit results, security standards, practices and policies, and then to compare those findings with financial industry standards. But plan sponsors are not typically experts at cybersecurity in the same way they are not experts on investment funds or various other things, according to Ray Conley, CEO of Jackson, Wyoming-based Benetic, Inc., an online marketplace for retirement advisers and service providers. That lack of expertise creates a need to hire consultants and other cybersecurity experts, as it does with a plan’s investments, Conley says.

Another challenge is the retirement industry’s unique complexity and the interdependency of various vendors. Conley cites plans’ multiple relationships with recordkeepers, custodians and trustees, third-party administrators and payroll providers as examples.

“They’re all sharing personally identifiable information [and] financial information, and at every point that there’s an interface, that introduces risk,” he says.

Most cybersecurity rating services are not focused on the retirement industry, says Conley. “They just look at one company or they’ll call it maybe supply chain risks,” he says. “But this is different than a supply chain. This is a synthesis of a bunch of service providers working together. Anyone who’s really doing their job on this needs to have some experience and focus on the retirement industry.”

Allison Dirksen, a senior vice president and head of wealth solution sales at Voya Financial in St. Paul, Minnesota, says sponsors can consider adopting a standard vendor risk assessment process. A VRA can be used for third parties, especially those that exchange or store electronic information or documents containing participant information. The assessments are matched against a firm’s policies and standards to ensure vendors are held to the same standards as the plan.

The risk assessment of a prospective third-party vendor should be performed prior to the execution of a contract, says Dirksen. This step ensures that all data protection requirements are incorporated into the contract with the vendor and that key vendor control documents are reviewed during the assessment. As part of the due diligence and in addition to the VRA, obtaining proof of the vendor’s cybersecurity insurance and data protection polices is also a good practice, says Dirksen.

Working with Recognized Standards

The DOL’s guidance states that sponsors should: “Look for service providers that follow a recognized standard for information security and use an outside (third party) auditor to review and validate cybersecurity.”

The Service Organization Control is an example of an audited standard. Independent auditors, often larger accounting firms, perform SOC examinations on service organizations based on guidelines established by the American Institute of Certified Public Accountants

SOC reports have different levels: SOC 1 reports evaluate security controls at one point in time, while SOC 2 reports consider a longer period, perhaps six months. In a SOC 2 audit, a third party reviews an organization’s controls for protecting the confidentiality and integrity of its data processing systems. Large U.S. recordkeepers distribute their SOC reports. A web search found that Fidelity, Vanguard, T. Rowe Price and Voya, for example, offer their SOC reports to plan sponsors or post them online.

SOC reports introduce another complexity, though. Different vendors’ SOC 2 reports are not directly comparable, Conley explains. Although they cover a standardized set of information technology risks, companies’ organization of their reports’ material can differ.

“When you look at a SOC 2 report from one company and try and compare it to another company, it’s like comparing apples and oranges, even though they’re addressing the same controls,” says Conley. “It’s really hard to compare, let’s say, Fidelity’s SOC 2 to Transamerica’s SOC 2 to Principal’s SOC 2. You can do it, but it’s kind of hard.”

Consolidating with SPARK

As Conley notes, comparing and evaluating vendors’ individual SOC reports can be a time-consuming process. The Simsbury, Connecticut-based Society of Professional Asset Managers and Recordkeepers (SPARK Institute) addressed this problem with its 2017 publication of best cybersecurity practices for recordkeepers. Tim Rouse, the executive director of the SPARK Institute, says that before the creation of SPARK’s industry standards, plan sponsors would query vendors with numerous questions in requests for proposal. Each vendor’s sales team would then respond to the questions.

SPARK’s member firms agreed to use the published SPARK standards when reporting on 16 (now 17) identified critical data security control objectives.

“The implementation of industry standards required SPARK member firms to utilize independent third-party auditors to provide basic information on 17 control categories as a starting point for cybersecurity discussions,” Rouse explains. “So, rather than have sales teams answer client questions on cybersecurity, basic control information is provided by independent third-party auditors. While this process has been adopted by larger plan sponsors, smaller plan sponsors have not yet implemented the process in great numbers.”

The 17 SPARK control objectives offer examples of what plan sponsors should review on each point, from overall risk assessment to cloud security and ransomware. The document also offers samples of the kinds of controls service providers should have in place to address each objective.

Conley, a SPARK member, says that while SOC 2 reports cover security, availability, processing integrity, confidentiality and privacy, only certain controls apply to cybersecurity and the retirement industry. SPARK created a method for mapping SOC 2 controls to retirement-industry-specific issues, Conley explains: “The SPARK report allows someone to compare the reporting of different recordkeepers in a common format to make it a little more apples-to-apples comparable.”

Managing the RFP Process

The DOL suggests plan sponsors review their vendors’ cybersecurity credentials at least annually. There are several approaches to managing the vendor cybersecurity evaluation process. A standard method is for the plan or its consultants to approach vendors directly.

Another approach is to work with a specialist cybersecurity evaluation service, which in turn reviews the vendors’ controls and protections. Benetic has published a detailed guide for sponsors and advisers to use as an RFP template in evaluating cybersecurity evaluation firms. The guide is designed to help “plan sponsors and advisers find a firm with the expertise, access and understanding necessary to evaluate and compare complex multiple vendor evaluations, regardless of the type of employee benefit program.”

Benetic and the SPARK Institute are also collaborating on PlanShield, an effort to provide “neutral and transparent information on cybersecurity risk to plan sponsors” that launched in July. For participating recordkeepers, PlanShield uses the following five-step process:

  1. Recordkeeper provides SOC 2 and SPARK reports to PlanShield, which uses the information to produce a summarized risk score that addresses the DOL guidance in a simplified format;
  2. PlanShield conducts a confidential external security review of the recordkeeper’s websites;
  3. PlanShield evaluates a firm’s penetration testing process;
  4. Recordkeeper provides PlanShield details of any insurance policies that may cover plan participants for cyber breach losses. PlanShield scores the coverage; and
  5. PlanShield generates a plan-specific risk rating for the recordkeeper.

Early response to PlanShield has been very positive, says Conley: “We are already overwhelmed with demand due to word-of-mouth referrals for the service and haven’t had time to market it or even add it to the website yet.”

Compliance December 22, 2022

Cybersecurity Concerns Require Attention From Sponsors, Participants and Recordkeepers

Firms concerned with protecting accounts and data are increasingly vigilant about the need to strengthen and safeguard their systems.

Reported by
Art by Jam Dong

The biggest risk in securing retirement plan participants’ data from cyber threats may not arise from any technological or design flaw. For many plan sponsors looking to boost security, the greatest challenge could lie in motivating individuals to take the necessary steps to guard against potential fraud.

 

Get more!  Sign up for PLANSPONSOR newsletters.

That task is a constant effort for many firms, such as Voya Financial.

 

“We consistently provide our employees and partners with information and educational tips and trainings about potential fraud schemes and how to protect themselves, the company and our customers,” says Allison Dirksen, senior vice president and head of wealth solutions sales with Voya.

 

Finding the best way to improve cybersecurity in retirement plans remains a perennial problem for plan sponsors because it requires ongoing participant buy-in. But some record keepers see the benefits in fostering a partnership with retirement plan participants while also enhancing internal security measures.

 

Although cybersecurity is not a new concern, Michael Kreps, co-chair of the Washington, D.C.-based Groom Law Group’s retirement services and fiduciary group, sees greater visibility of the issue as plan sponsors are increasingly focused on the need to strengthen protections.

 

“Plan sponsors are pretty paternalistic when it comes to their employees,” Kreps says. “Nobody wants their accounts stolen.”

 

To maintain vigilance on this topic, Voya regularly provides information, as well as training and educational pointers, about potential fraud. Most of the tips are focused around not becoming a victim of scams, Dirksen wrote in an email.

 

“Some of the biggest risks can come from participants themselves, not from an employer or plan provider,” Dirksen says, observing that the main threats may stem from opening a dangerous email attachment. That is the reasoning behind Voya’s emphasis on reminding individuals about digital security and offering guidance ranging from “don’t click on links from sources you do not know” to “secure your device and do not leave your laptop unsecure and unattended, specifically in a public area or vehicle.”

 

Finding the right metaphor and making it personal may also help inspire individuals to protect themselves, according to Jack Barry, vice president and head of product development for John Hancock Retirement.

 

“When you think about the retirement savings account, for most people this is their largest asset outside their home,” Barry says. “With your home, it’s much easier to physically secure and monitor, and then you go to assets in a plan, and you almost have to take as much care as you do to secure your home as you do when thinking about your retirement assets.”

 

Barry, based in Boston, views the approach as a team effort in which the retirement plan provider, employer and plan participant work together to prevent fraud. To aid in that process, John Hancock created a best practice guide to share with plan sponsors who have a direct relationship with plan participants and can circulate it on company intranet sites or in company-wide and team meetings.

 

The guide covers specific tips ranging from “use strong, unique passwords” to messages that “public, unsecured Wi-Fi is convenient, but it’s unreliable.” There are also reminders to “Be aware of what you share” on social media, since “the social aspect of social media means that we’ve become increasingly OK with publicly posting personal information.”

 

The warnings continue by spelling out to individuals that their answers to security questions on financial account sites, such as the names of a best friend or of pets, could be easily found online. The overarching message to individuals? Ask questions about who they should trust and what information they choose to disclose, according to Barry.

 

“For the retirement saver, a key is bringing a healthy dose of skepticism to everything,” Barry says.

 

To add further protection and help prompt individuals to take greater care with their own security, John Hancock utilizes what the firm calls a cybersecurity guarantee, which backstops potential fraud for individuals who follow the published best practices. If there is an unauthorized transfer that occurred through no fault of the individual, John Hancock will reimburse that account immediately, according to Barry.

 

“For anything that was taken, we will then take on the responsibility of going after anyone who happened to gain unauthorized access to [the] account,” Barry says. “All that we ask is that [retirement account holders] follow prudent online practices.”

 

Good online habits include some basics such as keeping information up to date, notifying the firm immediately of any nefarious activity and cooperating with any ongoing investigation, he says.

 

Both John Hancock and Voya also encourage individuals to enable new security measures such as signing up for two-factor authentication, even when such measures add what can be irritating friction to individuals accessing their own accounts.

 

“While not always perceived to make things easier for the individual, [it] provides an additional layer of security,” Dirksen says.

 

Barry also sees the benefits in urging retirement plan participants to be patient with complex password requirements that demand uppercase letters and symbols, as well as two-factor authentication.

 

“It’s those extra steps that, again, seem to be slightly frustrating in the moment that really bring a second or third layer of security,” Barry says. “That’s how we would think of the three parties working together to make sure everyone’s assets stay secure.”

 

Working in the background, too, are other new technologies that can alert the plan sponsor of a potential breach.

 

“Some recordkeepers have included voice recognition technologies and auto fraud detection,” Kreps says. “If you call a call center and [the call is deemed] suspicious, it will flag it as suspicious, and they’ll put a few more hurdles in place.”

 

Examples of red flags might include if the account is owned by a man, but it sounds like a female voice, or the person calling cannot answer verification questions, Kreps says.

 

John Hancock’s call centers also geolocate call origins and listen for background noise based on an understanding that some large fraud operations function as a group. The mobile app, which relaunched last spring, also has full biometric capabilities, which has led to John Hancock suggesting people start with the mobile app, because it requires a facial ID or fingerprint ID.

 

“When you think about protecting your house, it’s not just your front doors, it’s your garage and your windows,” Barry says.

 

While some firms, such as John Hancock, have developed types of cybersecurity guarantees, identifying who is responsible for a loss remains an ongoing conversation more broadly across the industry, according to Kreps, and includes regulators.

 

“Eventually we’ve got to figure out how to deal with this and how to apportion that responsibility, because if I had a billion-dollar 401(k), no one’s going to want to make that up,” Kreps says.

 

Kreps anticipates that, over time, Congress, regulators and the industry will work together to develop clear guidelines, as they have in other industries.

 

“When was the last time you seriously worried about your car or your credit card being stolen?” Kreps asks rhetorically. “The private industry and recordkeepers are much, much, much further ahead in their thinking about this than Congress.”

 

Kreps sees attention to these issues growing, including through the efforts of working groups that include multiple recordkeepers, to develop standard industry practices. He points to recent Department of Labor guidance tailored to employees as underscoring some of the widely accepted techniques plan sponsors can encourage, such as monitoring accounts for unusual activity, changing passwords and taking care not to share personal account information with others.

 

“The Department of Labor’s guidance didn’t have too much that was new, but what it did is highlight the importance of the issue,” Kreps says. “Regulators are looking closely at it. They don’t know precisely how to attack the problem; I don’t think any of us do. The criminals have a pretty strong financial incentive to continue to innovate.”

«