Cybersecurity may feel like an unending purgatory of whack-a-mole. But an expert panel at an Oct. 25 session of the 2022 ASPPA Annual Conference offered some tips that can help lead one closer to the promised land of greater security.
“Cyber Cyphers: Tips, Tricks and Practice Shifts that Can Keep Your (Plan) Data Safe” offered a wealth of ideas and strategies to help thwart the nefarious actively of cyber criminals intent on purloining data and revenue. Panelists included Heather Bader, partner at Faeger Drinker Biddle & Reath, LLP; Genelle Brakefield, Vice President of Ekon Benefits; Frank Porter, Relationship Manager, Large, Mega & NFP Markets, Empower Retirement; and Dave Scott, Deputy Assistant Director, FBI Cyber Division, Cyber Branch.
“The financial sector has been a target for years,” remarked Scott, setting the table for the discussion. The reason, he observes, is that there are assets of $12 trillion in the industry.
In the Trenches
Retirement professionals who serve plans and their participants are increasingly involved in improving cybersecurity and protecting them. And that is not being driven only from the top down—they also are experiencing pressure from below. “Now clients want to document, in minutes, procedures to protect data,” Porter reported.
If a Breach Happens
When there is a cybersecurity breach, Bader said her firm wants to know:
- what happened;
- who failed; and
- what was in place to prevent it.
If there are policies in place but they are not followed, “that’s a problem,” said Bader.
Porter articulated a similar approach, advocating going through the relevant fact pattern so as to better protect against a breach in the future.
Brakefield said that firms are implementing cybersecurity self-assessments, as well as having reviews conducted by firms from outside, as well.
Panelists outlined a variety of steps that TPAs can take to boost cybersecurity for their firms and those whom they serve.
- Stay up to date on software.
- Delineate duties related to cybersecurity.
- Use multifactor authentication.
- Read and understand your cyber policy.
- Have malware scans conducted.
- Make it easy for employees to report suspicious activity.
- Monitor banking activity; Brakefield said that her firm does so on a daily basis.
- Document how you are going to contact clients about a breach.
- Rotate service providers.
It’s Up to You
Of course, many parties have an important role in cybersecurity. But TPAs and plan sponsors are key players, and indispensable in the effort to protect plans and participants.
The DOL, said Bader, is asking questions about cybersecurity — and their interest is not limited to what plans are doing, she said, but extends to service providers. “It’s not just the plan sponsor’s responsibility,” she said. “This is going to be an expectation for TPAs and service providers,” agreed Brakefield.
“Not to put any pressure on you, but it’s up to you to protect those plan participants,” Scott told attendees. “You may be the last line of defense,” added Brakefield.