Compliance July 10, 2019

Human Error Leaves Retirement Plan Data Exposed

Experts in financial services cybersecurity are confident in most organizations’ technical strategies—in their use of sophisticated firewalls, encryption and network security tools—but there is much more concern about the human element of data protection.
Reported by

Art by James Yang


Bart McDonough is CEO and Founder of Agio, which he describes as a “hybrid managed IT and cybersecurity services provider specializing in the financial services, health care and payments industries.”

McDonough started the firm in 2010. Prior to that, he worked at SAC Capital Advisors, where he also took significant interest in the cybersecurity topic. Overall, he’s been working on data management and security for the better part of 20 years.

Want the latest retirement plan adviser news and insights? Sign up for PLANADVISER newsletters.

“In today’s evolving cybersecurity environment, our clients come to us for two main reasons, which do overlap,” McDonough says. “First, they want help with their cybersecurity solutions across the board. They have both generic and specific concerns about potential points of exposure for their organization.”

The second reason clients come to Agio is to get help meeting third-party cybersecurity standards, such as those put in place by regulators, particularly the Securities and Exchange Commission via its Office of Compliance Inspections and Examinations (OCIE), or private parties that review and approve cybersecurity.

McDonough says the organizations that come to Agio for help sometimes have great cybersecurity processes and procedures in place, but more often than not there are at least a handful of significant improvements to be made. Usually a company will already have strong firewalls and network protections in place on the technology side—but too often they completely lack an effective strategy for managing the human element that is central to effective data protection.

“One example I can cite here is when organizations lack contingency strategies for accidents in which no third-party bad actor is involved,” McDonough says. “You may or may not be surprised to learn that accidents and non-malicious errors are a major source of cybersecurity incidents in the financial services industry. I can think of a client we were working with just recently where an HR associate lost a laptop that had a tremendous amount of sensitive data on it. Everyone is always so focused on the bad actors, but there are so many stories in which the damage is entirely self-inflicted.”

To be clear, the category of “cybersecurity accidents” in this context does not include such incidents where an employee unwittingly opens up a malicious email or link. In such a case the employee does make a mistake, but there is still a bad actor that initiated the potential breach through “phishing” efforts. Rather, cybersecurity accidents are just that—issues that begin with no bad actor or intention of wrongdoing.

“I think it’s helpful to think of the analogy that accidents do far more damage in peoples’ homes each year versus robberies or arsons. The same idea is true in the cybersecurity space,” McDonough says. “It doesn’t take a criminal or a bad actor to be involved for a serious problem to occur.”

Patrick Murphy, CEO of John Hancock Retirement Plan Services, says that from his perspective leading a major retirement plan recordkeeper, cybersecurity has grown in the last five or so years to become a top daily concern for the C-suite as well as lower levels of management.

“Cybersecurity is such a critical topic and it will remain so,” he says. “Knowing this, we participate in one of the groups organized by SPARK that is designed to create best practices and more commonality in the retirement plan industry when it comes to securing and protecting data. We encourage all our colleagues to do the same.”

According to Murphy, John Hancock and other firms have begun “constantly sharing the information we learn about the fraudsters and bad actors out there” in the interest of better protecting plan sponsors and participants.

“As we identify the evolving types of cyber criminals that are targeting our space, we make sure that our competitors know what is happening,” Murphy explains. “We have to collaborate like this because the bad actors are not just coming at us as a single organizations. They are making a coordinated attack on our whole industry, and so we need to coordinate our defenses. When we help shut down an attack, we know we have an obligation to help others do the same, for the best interest of participants.”

Murphy says that his firm has embraced a multi-level cybersecurity system that is constantly evolving to meet new threats. Similar to McDonough, he says that genuine cybersecurity comes from a thoughtful and diligently applied combination of technical security protocols and internal processes built around multi-factor authentication, complemented by an overall organizational approach that also addresses the inevitability of human error.

“The network protection is always important but the behavioral and human element is the most challenging part,” Murphy says. “This is where advanced analytics and what we call active intelligence come into play. Take an example where you have had a participant that has for years logged into their account from the same device around the same time of day. Our systems can detect and monitor that, so that when a login attempt comes from another device from a different time that is outside the individuals’ normal behavior pattern, a red flag immediately goes up. It doesn’t mean this is an attempt at fraud, of course, but it does mean we should take an extra step to verify who is attempting to access our system.”

Common Failures Include Inadequate Monitoring of Vendors

Given that financial services firms have issues monitoring their own behavior in this domain, it’s likely no surprise that many parties do a lackluster job monitoring the cybersecurity performance of the vendors they work with on a daily basis.

“Think about the vendors you work with as a retirement plan fiduciary—just like your organization, beyond the risk of a malicious attack, they are also comprised of human beings that can make mistakes and experience accidents,” McDonough says. “You inherently don’t have a lot of control over the behavior of employees at a vendor partner, which makes it that much more challenging and important to do your due diligence in advance.”

In his practice consulting on cybersecurity, McDonough sees a lot of “checking-the-box” behavior when it comes to monitoring vendors. 

“We see people sending detailed spreadsheets asking some pretty advanced cybersecurity questions, and they feel doing this allows them to certify that they did some type of vendor review,” he says. “From our perspective, this kind of exercise is actually a waste of time and energy. We can say from experience it just doesn’t work. Real security is not a check-the-box item—it takes diligence to figure all this out.”

Looking across the financial services landscape, McDonough says, pretty much every provider can do a good job responding to these questionnaires.

“Where the real distinction comes in is when you look at specifically how technology tools and solutions are being used by one firm versus another,” McDonough explains. “Take the use of the very popular Salesforce customer relationship management system. The real security variable is not whether or not you use Salesforce. Rather, the security variable is how well the program is configured, used and maintained. There are 100 Salesforce configuration options that can make the platform more or less secure.”

McDonough says it is common to see organizations playing it fast and loose in their implementation of client services technologies that could be made far more secure. He pointed to the example of one of the largest banks in the world allowing 20 or more employees to share a single set of login credentials in sensitive systems.

“When someone new joined the team, they got the password,” he says. “When someone left the team, the people who stayed behind didn’t change the password. That’s the kind of human element we’re talking about.”

Process, Process, Process

Murphy and McDonough agree that cybersecurity is all about process. Process means such things as regularly reviewing the privileged accessing of data and the use of that data across the organization. It means conducting regular reviews of the list of active administrators and their responsibilities and activities. It means tracking ongoing cybersecurity efforts through a detailed security log.

“The cybersecurity threats always evolve, but the attributes of really secure organizations remain the same,” McDonough says. “They enthusiastically embrace the need to conduct penetration testing and the need to train their people about the risks of ‘social engineering’ and other sophisticated phishing efforts. If you think back to all the big headline hacks of recent years, I can think of only one, the Equifax hack, that didn’t start with social engineering that took advantage of the human element. That’s the only one that started with a pure technical hack.”

For its part, to address the human element, Murphy says John Hancock Retirement Plan Services has embedded solutions and analytics systems behind the scenes that are proactively identifying bad behavior that is not actually trying to compromise the network from a technical perspective, for example when a fraudster pretends to be a real participant.

“Overall we’re actually less concerned about a technical breach of our systems than we are concerned about the potential for fraud that exists when participants aren’t practicing good cyber health on their own,” Murphy says. “They may be sharing passwords or using repetitive passwords, or they may have very weak passwords that they never change. For us as providers, advisers or plan sponsors, this situation means we have to be extra vigilant. These types of analytics tools are becoming much more prevalent in the retirement plan industry today, and we’re very happy to see that.”

Compliance July 8, 2019

SECURE Act Ensnared in Senate After Flying Through House

Washington insiders say Senator Ted Cruz is probably the biggest roadblock to the SECURE Act being passed in the near-term under unanimous consent; among other issues, he wants the bill to allow people to use tax-advantaged 529 college savings accounts to pay for home school expenses.
Reported by

Art by Sam D’Orazio


In his position as vice president of strategic communications for the Insured Retirement Institute (IRI), Dan Zielinski spends a lot of time tracking the happenings in Congress.

In recent months, Zielinski has been closely following the progress of the Setting Every Community Up for Retirement Enhancement Act, commonly referred to as the “SECURE Act.” That bill passed the House last month with a practically unanimous vote, and at the time some analysts said they expected very quick Senate passage, perhaps within just a week or two.

For more stories like this, sign up for the PLANADVISERdash daily newsletter.

As it turns out, those expectations were overly optimistic, and today the SECURE Act is stalled thanks to several Republican senators, among them Texas’ Ted Cruz and Pennsylvania’s Pat Toomey, placing what are called “holds” on the Senate leadership’s resolution to pass the bill under “unanimous consent.”

Senate mechanics are inherently complicated, but in basic terms, a bill can be passed without the usual process of debate and amendment if the full Senate, with no exceptions, agrees to pass the bill with unanimous consent. All it takes is one Senator to force the bill into the normal route of committee consideration and a full schedule of floor debates and votes.

According to what Zielinski has heard in the halls of the Capitol, Senator Cruz is probably the biggest roadblock to the SECURE Act being passed under unanimous consent. Among other issues, it seems that Senator Cruz is refusing to support the final version of the House bill because it no longer includes a provision that would allow people to use tax-advantaged savings in 529 college savings account to pay for home school expenses.

“We all had our hopes up that this would pass very quickly, but Senator Cruz threw in a hold,” Zielinski says. “We also heard of another Senator, Pat Toomey of Pennsylvania, who may also have put a hold on this, though his rationale has not been made clear as to why. My colleagues will be meeting with his staff in the coming weeks to try to gain more insight on all of this.”

Though he remains optimistic, Zielinski says the path ahead for the SECURE Act is far from clear.

“At this point, Senate floor time is at a real premium,” he explains. “When you have a deep partisan divide in the Senate, the side in the minority tends to want to slow things down as much as possible. This Senate, under majority leader Mitch McConnell, has been very focused on judicial appointments. And even though they have technically lifted the filibuster in that area, the Democrats are still afforded significant debate time for each appointment, something up to like 30 hours. That eats up a lot of the legislative days.”

This fact is why there was great interest in having the Senate do the SECURE Act consideration under unanimous consent.

“But as the name implies, as soon as one person objects, you don’t have unanimous consent anymore,” Zielinski says. “That’s where we are right now. The bill has great support, but it would have to go through regular order. That would mean the bill would have to be scheduled for floor debate, and, remember, at that point Senator Cruz could then debate it to great length. Even if he doesn’t want to do this, there is the potential for amendments, and Senator Cruz would offer some I think. The last thing the Senate wants to do is change the bill and require the House to vote again.”

What Zielinski and others have heard from Senator McConnell’s office is that leadership is working on trying to find a solution to this situation that will get the holds lifted.

“We don’t know what these are, but we imagine it’s something like, ‘If you drop your hold on this bill you can have a chance to address your issues through amendments to a must-pass, upcoming bill.’ We can only speculate at this point, but that’s probably what a solution would come down to, just given the way these things can go,” Zielinski says. “In the end, we do think that the senators with holds will want to go home and talk about this success. Right now we’re in a waiting game that nobody really saw coming, so there weren’t really any contingency plans in place.”

Potentially important to the fate of the SECURE Act is that the legislative session is quickly moving towards the August break, and after that, the presidential election year will already be looming. Furthermore, towards the end of the year, Congress will have to address the federal budget and the debt ceiling, not to mention the ongoing issues at the border. Will the SECURE Act be able to hold Senators’ attention?

According to David Levine, principal at Groom Law Group, there are “lots of different efforts being made in Congress to get these holds lifted,” but it’s not clear at this point that these will be successful.

“It seems that the majority leader is very focused on other issues, so unless these holds come off, the SECURE Act is not likely to come to the floor at this stage,” Levine suggests. “It’s an evolving landscape. Whenever a bill sits, there can be a myriad of reasons, but the longer it waits, the more challenging it becomes to advance, because of the pipeline of other priorities. There’s a lot of effort going on still to try and move this, so there’s still some room for optimism.”

Like Zielinski, Levine says the lack of floor time could prevent SECURE Act’s passage this year, even though the bill has so much support and would clearly pass should a vote actually occur.

“For all the talk about the Senate changing its norms and traditions in recent years, it’s still an institution where one or two members can really slow things down,” Levine says. “Something else to consider is the question of what could happen if SECURE Act fails. Might some of the other retirement-focused legislation jump over the SECURE Act? Right now the train tracks are backed up a little bit and it could come out in a few different ways.”

Industry analysts have speculated that passage of the SECURE Act could have a big influence on retirement plan advisers and their clients. While other provisions of the legislation are significant, perhaps the biggest change would come in the bill’s promotion of open multiple employer plans, or “open MEPs.”

While open MEPs will allow employers to pool together into commonly administered plans, advisers will still have a significant role to play with regard to helping plan sponsors and participants. MEPs simplify the day-to-day process of running a plan, but the employer still has to understand the features and requirements of the plan, and employees need help with investing and financial wellness matters.

While MEPs would standardize the investment lineup, thereby reducing advisers’ role in that respect, plan sponsors always need help with plan design, educating participants and knowing their fiduciary duties. Furthermore, there will still be plenty of small businesses that don’t decide to join a MEP and that will need the help of a retirement plan adviser. Some specialist advisers could even create their own open MEPs.

«