Cyber threats morph and evolve as quickly as the technology and data they compromise. Speakers at SPARK’s national conference in Falls Church, VA suggested ways to protect against them.
Wendy Young Carter, a VP and Defined Contribution Director, Public Sector at Segal Group, noted that the ERISA Advisory Council says that cyber threats to retirement plans include:
- disruption of business operations;
- harm to the company and plan reputation;
- plan participants losing confidence;
- potential financial losses for participants;
- the cost of remediation and litigation; and
- fines and penalties the government may assess.
Focusing on the 2005-2017 period, Josephine Wolff, Assistant Professor of Public Policy and Computer Security at the Rochester Institute of Technology, told attendees that the nature of the threat that cyber criminals pose has been changing. Early in that period, Wolff said, breaches primarily consisted of payment card penetration and fraud. Now, she said, ransomware is the most prevalent emergent threat. Part of that threat, Wolff observed, is that ransomware gets around protections against data breaches in big organizations by victimizing individual users of those organizations’ systems.
Statistics cited by Michael Robinson, Senior Director, Business Development Executive Employee Benefits at Lifelock, bolstered Wolff’s contention that current attacks are targeted at individuals. He noted that 48% of attachments to malicious emails that individuals receive are fake files intended to infect computers and systems when opened, and that the volume of those emails now is 5 percentage points higher than it was just two years ago. Not only that, he said, 10% of all URLs are malicious.
“Concerns about identity theft are at an all-time high,” remarked Robinson, noting that 60 million Americans have been affected by it in the last decade. And identity theft exacts a heavy cost, he said – debt and difficulty paying bills for many individuals, and distraction of employees at work that costs employers due to lost productivity.
Wolff pointed out that companies face many substantial costs related to cyber breaches, including expenses related to cleaning up after a breach, notifications and legal services.
Another growing risk, said David Murray, Financial Lines Head of Product Innovation at AIG, is account takeover fraud – which can include fraudulently transferring assets out of retirement accounts. But sometimes hackers don’t steal funds right away, but rather gain account access and collect information that they can use repeat to initiate fraudulent transactions later. And, he said, “the problem is likely to get worse before it gets better.”
Fiduciary duty under ERISA figures in the matter as well. For trustees, selecting service providers is a fiduciary action, Robinson noted, and they have a duty to monitor service providers.
Carter noted that as fiduciaries, trustees “are held to a very, very, very high standard,” and should be “very concerned” about the capabilities and security of systems that service providers use. She suggested some questions that plan fiduciaries should answer when monitoring a service provider:
- Does it have a program?
- Is the program enforced?
- What controls has the service provider put in place for sensitive data?
- How often does the service provider review and rate its system?
- How does the service provider respond to threats and actual breaches?
Nonetheless, noted David Levine, a Principal at Groom Law Group, “In our area, a retirement plan advisor, a plan fiduciary and a plan sponsor can do it right, but there still could be a breach.”
Wifi protected access is one defense against payment card penetration and fraud, said Wolff. “There are a lot of opportunities for defense, involving a lot of different stakeholders,” she said.
Cyber liability insurance is another option. It offers:
- partial to full risk assessments;
- experienced professionals, such as those who offer legal and forensic services;
- web sites that provide data that helps in the creation of internal controls;
- coverage not available elsewhere; and
- third-party liability coverage concerning data breaches.
“We’re seeing a lot more insurance now,” said Wollf. Murray added that it can cover breaches of fiduciary duties, but generally does not cover assets. He added the caveat that insurance is “is not a panacea” for cyber threats. Another limitation, he said, is that since the threat and incidents are new, there “is not a lot of data to work with” in determining what to cover and insure.
And there’s still more. Levine indicated that the very tools that can protect can also be a detriment. “The automation we’re trying to build can break down,” said Levine, adding that the more automation is implemented, the harder it can be to control security. “We have a balancing act,” said Walsh, adding that if measures are put in place to protect plans and accounts from breaches, it could make it harder for participants to be use system and thus decrease the engagement plans are trying to foster.
It is important to consider what the hacker’s end goal is, Wolff said, and to understand the responsibilities of the parties involved. “There are a lot of different layers to this,” she said.
Wolff did see a ray of hope. Cybersecurity is “often an area where companies are outsourcing to security firms,” she said, but added that she finds it “encouraging to see businesses and individuals that are engaged.”