Battening Down the Hatches Against a Data Breach

An emerging area of concern for plan advisers might just be the actual data of the retirement plan itself, which could shape up to be a compliance issue for the plan sponsors they support. And of course plan advisers themselves hold a great deal of sensitive data on their own clients.

Both FINRA and the Securities and Exchange Commission (SEC) are worried about the amount of personal data an adviser has, notes Gary Sutherland, chief executive of North American Professional Liability Insurance Agency. “They think advisers will be a handy target for people to steal identity,” Sutherland says, “because they tend to be smaller firms with less resources to protect the data.”

Data security is an obligation of all who hold sensitive information, says Marcy Supovitz, principal at Boulay Donnelly & Supovitz Consulting Group. “Even without specific DOL (Department of Labor) guidance, advisers need to be vigilant in protecting plan and participant data as part of their general fiduciary responsibility to clients,” she tells PLANADVISER, noting that cybersecurity governance is a top business issue for her firm.

After issuing a detailed checklist of what advisory firms should provide in terms of data protection in February, the SEC brought out additional steps for firms to address cybersecurity risk. “We viewed that checklist as an opportunity to assess our procedures and, equally important, to re-educate our employees about cybersecurity, as firms are only as safe as their weakest link,” Supovitz says.

Supovitz raises another issue for advisers, sometimes overlooked, that arises when a mutual fund owns shares in a company that has been the victim of a cybersecurity attack. “Prudence may call for removing the fund from the plan’s investment lineup,” she says, “especially if the fund has a large weighting in the victim company.”

Tracking devices on laptops are vital and highly affordable, Sutherland says. “Advisers can remotely wipe out data if it is exposed,” he says, “and three years of coverage is about $100 per laptop.” He recommends installing the software at the time of purchase, so that protection and tracking kick in immediately.

Sutherland recalls an insured client who left his laptop on a train one Friday. He notified the train authorities and was told the next day that the laptop had been located. But when he went to pick it up on Monday, it was gone. Tracking would have helped the client, he says, but the more important piece is that once the computer is used to go online, it sends a signal to tell the owner to eliminate the data. “Laptops may be password-protected,” Sutherland says, “but in the same carrying case as the computer is a sticky note with your log-on and password name.”

When it comes to data protection for a retirement plan, two areas stand out, according to Supovitz. “First, when plan sponsors engage us for a vendor search, we address cybersecurity risks early on in the selection process,” she says. In the request for proposal (RFP) process, Supovitz evaluates the data security procedures of every vendor.

Critical points to compare include how they seal off access to confidential information from intruders and how they monitor cybersecurity procedures on an ongoing basis, notes Supovitz. Plan sponsors can engage the services of an expert to help vet providers, or turn to someone internally on their own IT staff.

“Security should be a pretty significant area of focus for all data that plan sponsors house,” says Adam Pozek, a partner at DWC ERISA Consultants. From Social Security numbers to home addresses and even direct access to payroll, in some cases, the data transcends any one benefit plan, Pozek tells PLANADVISER.

Be aware of the information chain. “If a plan sponsor has security measures in place but the service provider is lax, their data can still be at risk, making data security a critical part of any vetting process, whether for payroll or a benefits plan,” Pozek says.

Sutherland says plan sponsor due diligence on all providers includes asking questions on the provider’s own history of data loss, whether they have insurance to cover a breach and what steps they will take to protect the identity of the plan sponsor as well as the plan sponsor’s employees.

Beyond looking into a provider’s actual data systems, Sutherland recommends that a vendor conduct background checks on new hires and change passwords frequently so they can’t be saved (every 60 days is recommended).

“Plan sponsors will want the TPA and recordkeeper to back up systems at least weekly,” Sutherland advises. Daily backing up is preferable, with redundant systems available. “Typically, if a TPA’s system is hacked into, the provider can move into another system in the Cloud so they can be up and running within hours, not days.”

Pozek says he would ask whether the provider has a specific data security policy for the way its own employees handle data, a question that can generate several more lines of inquiry. “If an employee accesses data through a smartphone, mobile device or laptop, are those devices encrypted or password protected?” Pozek asks. “What type of security is in place? What steps does the organization take to make sure its employees understand the importance of protecting sensitive data? For example, do they understand that many states have restrictions against emailing Social Security numbers over the Internet without password protection or encryption?”

A data breach can generate different costs, Sutherland points out, such as the first-party costs incurred  by the recordkeeper and TPA to notify people of a breach or compromise. “The recordkeeper or TPA might need to bring in a lawyer to handle the notification process or, in some cases, public relations people and/or IT forensics,” he says. “Third-party costs appear when the data they hold belongs to one of their clients and the client suffers damages as a result of the data breach. If the plan sponsor gets a letter saying all their employee data was breached, costs could also include new credit monitoring as well as any potential damages to the employees (third party)

The typical cost to manage someone whose data has been breached is about $150 per person. “At 800 employees, for example,” Sutherland says, “that $150 for each can add up pretty quickly.”

While there ERISA has no specific jurisdiction over plan data, in Pozek’s opinion, all businesses should have a written policy on data security. “It goes into the prudent process selection,” he says. “They have to evaluate on different criteria.” Plan sponsors that don’t feel comfortable reviewing procedures and vendors should seek outside help from their own IT department, an attorney or investment adviser: “Anyone qualified to look at the response and provide guidance.”

The need to pay attention to data security transcends any benefit plan or company size, Pozek says, noting that most breaches are done by robots trained to look for holes they can take advantage of. “Anyone who would use the data for nefarious purposes doesn’t care how big or small you are,” he says.