Analyzing Retirement Industry Cybersecurity Risks and Best Practices

A certain famous bank robber is said to have explained that he robbed banks because ‘that’s where the money is.’ As of the end of 2021, U.S. retirement plans now have a significant amount of money, with more than $37 trillion of assets.
PA-020022 OSC1 Fintech-Cybersecurity_Philip Lindeman-web

Art by Philip Lindeman

News reports in recent years show that criminals are targeting retirement plans, as well as the financial services firms that serve them.

Among those that have been targeted recently, with varying degrees of success, are Alight Solutions, Cetera and Transamerica Retirement Solutions, though they’re far from the only providers to have suffered cyberattacks.

In many cases, cybersecurity lapses can be costly to an organization. Case in point, the U.S. Securities and Exchange Commission charged multiple Cetera entities a combined $300,000 in fines and penalties last summer for failures in their cybersecurity policies and procedures that resulted in what the agency described as “email account takeovers,” which exposed the personal information of thousands of customers and clients at each firm. Earlier in 2021, the SEC censured and fined GWFS Equities, a Colorado-based registered broker/dealer and affiliate of Great-West Life & Annuity Insurance Co., $1.5 million. That case involved alleged violations of the federal securities laws governing the filing of Suspicious Activity Reports, also known as SARs.

According to the Investment Company Institute, U.S. retirement plans held $37.4 trillion of investor assets at the end of 2021’s third quarter. Experts say that ocean of money—combined with the accounts’ valuable personal data and the multiple ways of accessing accounts remotely—makes retirement plans a natural target for thieves.

“As retirement plan advisers, we see phishing schemes, ransomware, social engineering attacks, email compromise and wire fraud,” warns David Graver, vice president of Fort Pitt Capital Group in Pittsburgh. “The last one really sticks out when specifically focusing on retirement accounts. Often, emails will be compromised, or online accounts hacked, and unauthorized loans or withdrawals will be requested from the account.”

Simply put, advisers must be wary of cybersecurity risks and do their utmost to ensure clients, and their own firms, do not become victims of increasingly sophisticated and well-equipped cyberthieves.

The DOL Steps In

In early 2021, the U.S. Department of Labor’s Employee Benefits Security Administration issued new cybersecurity guidance for plan sponsors, fiduciaries, participants and recordkeepers. The first publication in the series offered suggestions for plan sponsors on hiring service providers with strong cybersecurity practices. The second publication was a 12-point list of best practices for plan service providers and the sponsors evaluating those providers. A third publication detailed online security practices for plan participants and beneficiaries.

The DOL’s work was the first of its kind and highlights the agency’s greater focus on retirement plan-related security. While the tips might be new information for some in the industry, in reality, the guidance is not groundbreaking, says Jon Meyer, CAPTRUST’s chief technology officer in Raleigh, North Carolina.

“What [the DOL] is recommending is not really any different from widely understood best practices,” Meyer says, “but that doesn’t mean the DOL’s tips don’t carry significant weight.”

He argues that the “entire ecosystem” in the retirement plan industry understands it is their fiduciary duty to make sure, not only that their house is in order, but that every supplier they are working with is capable and worthy of handling sensitive date—especially participant data.

David Levine, principal and co-chair of the plan sponsor practice with Groom Law Group, Chartered, in Washington, D.C., stresses that the DOL’s tips are not binding. Nonetheless, the recommendations figure prominently in his work with clients.

“If I’m involved in a request for a proposals, we will often ask about these standards and we will actually try to incorporate them into contracts,” Levine says. “If I’m representing a plan sponsor, I’ll try to put them in place between the sponsor and the adviser. These standards are being adopted in many different areas.”

The DOL is doing more than just publishing security suggestions, though. Levine says the agency is “digging deeper and moving.” He cites his experience from about two years ago, when the DOL began asking cybersecurity questions. Levine recalls that the agency’s staff members initially asked 10 short questions.

“Now they are constantly evolving,” he says. “I saw one [questionnaire] recently for a client that was four-and-a-half pages long.”

Meyer agrees that the DOL is placing greater emphasis on expanded due diligence. “I think you can run a registered investment adviser practice and not have any technology staff, but you have to be really good at supplier management and focus on how you are making sure that they are strong and capable in the cybersecurity dimension,” Meyer cautions. “Traditionally, that has not been done. People have taken at their word that Company X can provide great services. Now, the DOL is really encouraging parties to dig in and understand if somebody is capable of handling the sensitive data.”

Identifying Exposures

Identifying the cybersecurity exposures that a plan adviser or sponsor might encounter is the first step in eliminating those threats. Dennis Lamm, senior vice president, customer protection, with Fidelity Investments in Merrimack, New Hampshire, suggests that advisers should start by considering the two broad types of risks to plan sponsors and their employees.

These exposures include the risk to their data, in the form of security breaches, and the risk to their accounts, in the form of fraud. 

“The former typically manifests itself through phishing, malware and, increasingly, ransomware,” Lamm says. “The latter is directed more to individual retirement and brokerage accounts and seeks to take over customer accounts by using stolen passwords and compromised email accounts, or mobile phones.”

Levine cites the idea of laying out a “data chain” to see who has access to information and to highlight potentially overlooked exposures. He emphasizes that it’s not sufficient to evaluate only a plan’s 401(k) recordkeeper. For instance, sensitive data can be shared with third-party vendors such as wellness service and managed account providers.

“Every step of the chain has a cybersecurity risk,” Levine warns. “It’s important to look at the entire lineup of your business.”

Meyer stresses the need for an independent third-party to conduct a risk assessment regularly. CAPTRUST conducts an annual risk assessment and also does penetration testing twice each year. The goal of penetration testing is to identify where and how hackers might attack a firm and to determine in an advanced and safe setting how the firm’s defenses would hold up.

The next level of security analysis is “red team” testing. Meyer explains this involves hiring a firm that will work to actively exploit—versus only identifying—potential weaknesses in the organization’s defenses. Red team tests go beyond probing online weaknesses.

“Fraudsters don’t just attack the web,” Meyer says. “They’ll hit the call center, they’ll try faxes and they’ll try mail. They will use every channel to try and make something happen, so it’s not enough to simply just focus on a web application when you are a multichannel contact center and taking requests from participants through a variety of means.”

Building a Best Practices Framework

The sources for this article agreed that cybersecurity is not a one-and-done effort. Cybercrime is global and has no operating hours, Lamm notes, so security efforts must run nonstop. He recommends that advisers look to industry-defined best practices to address exposures internally and with vendors. Along with the DOL’s tips, he also points to the Data Security Reporting and Fraud Controls Best Practices published by the SPARK Institute’s Data Security Oversight Board as a useful resource.

“At a minimum, organizations should comply with established global standards for data security and testing, such as ISO 27001 and the SOC 2,” Lamm adds.

Ben Taylor, senior vice president and head of tax-exempt defined contribution research with Callan Associates in Los Angeles, says that creating a cybersecurity defense is best done with what professionals call a “CSF,” or cybersecurity framework.

Taylor, who serves as vice chairman of the SPARK Data Security Oversight Board , points to frameworks such as those developed by NIST, aka the National Institute of Standards and Technology, and the ISO, or the International Organization for Standardization, which set guidelines for the essential elements of basic security. To assist advisers and clients with understanding the common themes and most important features of the major CSFs, the board developed a set of standards that identify the critical, common features for the industry. 

Working With External Resources

Ultimately, there is a large amount of cybersecurity best-practices guidance available to advisers and sponsors. However, following that guidance can be a challenge if an adviser or plan sponsor lacks the internal expertise to implement the recommendations and evaluate third parties’ efforts.

Conducting due diligence on security measures is challenging, Taylor notes, partly because there is a tangle of legal liability associated with known vulnerabilities and in part because the secrecy of some of the defensive metrics is key to their efficacy.

“As a result, there continues to be a need for clear best practices, and a trusted, third-party standard for audit and review of those security practices,” he says. “There are several options for conducting security audits of key vendors like custodians or recordkeepers, and these include audits like a SOC 2 report, or an agreed-upon procedures audit that follows the SPARK template for the standard best practices. “

Meyer believes smaller organizations can lack the manpower, technical aptitude and persistence to follow a strong cybersecurity process. In response, these firms often hire technology service providers and delegate full responsibility to them.

“That’s only a partial solution,” he cautions. “I would challenge all firms to make sure they have independent oversight and audits of their service providers. If you don’t have that, then I think you end up with holes in your armor. The results are never world-class when you just hire a firm and don’t have anybody checking behind it to make sure that what it’s doing is really secure.”