Cyber criminals are creative and resourceful — and they’re not just after bank accounts. Industry experts in a recent webinar cautioned that retirement plans are in their sights as well.
“Retirement plans are being attacked in the ways that banks have been,” warned John Rosenburg, Information Security Officer at the New York State Teachers’ Retirement System, in “Preparing Retirement Systems to Manage a Cybersecurity Incident,” a recent National Institute on Retirement Security (NIRS) webinar. Joining him on the panel were Peter Dewar, President Linea Secure; Jeffrey Saiger, Chief Technology Officer for the State Universities Retirement System of Illinois; and Michael Kreps, Principal, Groom Law Group.
The State of Things
“The bad guys are doing their research” and will submit change of address forms, etc., warned Saiger. They are very well-informed, he continued, and they view their efforts as a business opportunity. “We’re a ripe target, unfortunately,” he said.
Michael Kreps made similar observations, saying, “We’ve seen a pretty drastic uptick in cybersecurity events” and that criminals have decided the retirement system has a lot of money. Clients are concerned about these events and the capacity to defend against them, he continued.
Rosenburg, too, reported that they are seeing redirection of direct deposit of retiree payments and that infiltrators are going in to portals to move money.
Deward remarked that phishing is the “number one form of attack”; Rosenburg and Saiger said that impersonation attacks are happening as well.
Consider Risk
Considering risk is a key component in approaching cybercrime and preventing it, panelists indicated.
Saiger suggested identifying risk, as well as whose risk it is and the boundaries of the risks. Rosenburg noted that the New York State Teachers’ Retirement System does an annual risk survey internally, and sometimes has an outside party do one as well.
When planning for a cybercrime event in high-risk areas, panelists suggest, one should:
- Treat cyber risk like organizational risk to get cross-functional buy-in.
- Balance likelihood vs. impact to focus resources.
- Leverage a recognized cyber framework such as National Institute of Standards and Technology (NIST) cyber polices.
- Tailor the framework to pension operations.
Responding to Incidents
The panel argued for preparing a response plan before one needs to take place. Such a plan, they suggest, could include:
- definition of categories of incidents;
- defining roles and responsibilities;
- plan communications; and
- mapping out specific steps to resolve issues.
And when a cybercrime incident has occurred, they suggested the following steps:
- engage counsel;
- utilize cyber insurance and covered services;
- assemble a cross functional team; and
- perform an analysis of root causes.
Saiger also suggested checking cybersecurity insurance coverage.
Action Steps
Panelists had concrete suggestions regarding steps that can be taken to protect retirement plans against cybercrime and address it.
Saiger took a big picture view, advocating awareness of processes and cross-processes, the sensitivity of datasets and how much data is involved.
He and other panel members also had suggestions regarding more fine details:
- Make authentication something unique to the company, not something common and generic.
- Focus on security awareness training with call center staff.
- Pay attention to cybersecurity insurance policies and their wording, since the scope of such insurance can be very limited.
- Have a good relationship with parties involved with cybersecurity and risk management, as friction with a vendor may lead to data points being missed.
