Human Error Leaves Retirement Plan Data Exposed

Experts in financial services cybersecurity are confident in most organizations’ technical strategies—in their use of sophisticated firewalls, encryption and network security tools—but there is much more concern about the human element of data protection.

Art by James Yang

Bart McDonough is CEO and Founder of Agio, which he describes as a “hybrid managed IT and cybersecurity services provider specializing in the financial services, health care and payments industries.”

McDonough started the firm in 2010. Prior to that, he worked at SAC Capital Advisors, where he also took significant interest in the cybersecurity topic. Overall, he’s been working on data management and security for the better part of 20 years.

“In today’s evolving cybersecurity environment, our clients come to us for two main reasons, which do overlap,” McDonough says. “First, they want help with their cybersecurity solutions across the board. They have both generic and specific concerns about potential points of exposure for their organization.”

The second reason clients come to Agio is to get help meeting third-party cybersecurity standards, such as those put in place by regulators, particularly the Securities and Exchange Commission via its Office of Compliance Inspections and Examinations (OCIE), or private parties that review and approve cybersecurity.

McDonough says the organizations that come to Agio for help sometimes have great cybersecurity processes and procedures in place, but more often than not there are at least a handful of significant improvements to be made. Usually a company will already have strong firewalls and network protections in place on the technology side—but too often they completely lack an effective strategy for managing the human element that is central to effective data protection.

“One example I can cite here is when organizations lack contingency strategies for accidents in which no third-party bad actor is involved,” McDonough says. “You may or may not be surprised to learn that accidents and non-malicious errors are a major source of cybersecurity incidents in the financial services industry. I can think of a client we were working with just recently where an HR associate lost a laptop that had a tremendous amount of sensitive data on it. Everyone is always so focused on the bad actors, but there are so many stories in which the damage is entirely self-inflicted.”

To be clear, the category of “cybersecurity accidents” in this context does not include such incidents where an employee unwittingly opens up a malicious email or link. In such a case the employee does make a mistake, but there is still a bad actor that initiated the potential breach through “phishing” efforts. Rather, cybersecurity accidents are just that—issues that begin with no bad actor or intention of wrongdoing.

“I think it’s helpful to think of the analogy that accidents do far more damage in peoples’ homes each year versus robberies or arsons. The same idea is true in the cybersecurity space,” McDonough says. “It doesn’t take a criminal or a bad actor to be involved for a serious problem to occur.”

Patrick Murphy, CEO of John Hancock Retirement Plan Services, says that from his perspective leading a major retirement plan recordkeeper, cybersecurity has grown in the last five or so years to become a top daily concern for the C-suite as well as lower levels of management.

“Cybersecurity is such a critical topic and it will remain so,” he says. “Knowing this, we participate in one of the groups organized by SPARK that is designed to create best practices and more commonality in the retirement plan industry when it comes to securing and protecting data. We encourage all our colleagues to do the same.”

According to Murphy, John Hancock and other firms have begun “constantly sharing the information we learn about the fraudsters and bad actors out there” in the interest of better protecting plan sponsors and participants.

“As we identify the evolving types of cyber criminals that are targeting our space, we make sure that our competitors know what is happening,” Murphy explains. “We have to collaborate like this because the bad actors are not just coming at us as a single organizations. They are making a coordinated attack on our whole industry, and so we need to coordinate our defenses. When we help shut down an attack, we know we have an obligation to help others do the same, for the best interest of participants.”

Murphy says that his firm has embraced a multi-level cybersecurity system that is constantly evolving to meet new threats. Similar to McDonough, he says that genuine cybersecurity comes from a thoughtful and diligently applied combination of technical security protocols and internal processes built around multi-factor authentication, complemented by an overall organizational approach that also addresses the inevitability of human error.

“The network protection is always important but the behavioral and human element is the most challenging part,” Murphy says. “This is where advanced analytics and what we call active intelligence come into play. Take an example where you have had a participant that has for years logged into their account from the same device around the same time of day. Our systems can detect and monitor that, so that when a login attempt comes from another device from a different time that is outside the individuals’ normal behavior pattern, a red flag immediately goes up. It doesn’t mean this is an attempt at fraud, of course, but it does mean we should take an extra step to verify who is attempting to access our system.”

Common Failures Include Inadequate Monitoring of Vendors

Given that financial services firms have issues monitoring their own behavior in this domain, it’s likely no surprise that many parties do a lackluster job monitoring the cybersecurity performance of the vendors they work with on a daily basis.

“Think about the vendors you work with as a retirement plan fiduciary—just like your organization, beyond the risk of a malicious attack, they are also comprised of human beings that can make mistakes and experience accidents,” McDonough says. “You inherently don’t have a lot of control over the behavior of employees at a vendor partner, which makes it that much more challenging and important to do your due diligence in advance.”

In his practice consulting on cybersecurity, McDonough sees a lot of “checking-the-box” behavior when it comes to monitoring vendors. 

“We see people sending detailed spreadsheets asking some pretty advanced cybersecurity questions, and they feel doing this allows them to certify that they did some type of vendor review,” he says. “From our perspective, this kind of exercise is actually a waste of time and energy. We can say from experience it just doesn’t work. Real security is not a check-the-box item—it takes diligence to figure all this out.”

Looking across the financial services landscape, McDonough says, pretty much every provider can do a good job responding to these questionnaires.

“Where the real distinction comes in is when you look at specifically how technology tools and solutions are being used by one firm versus another,” McDonough explains. “Take the use of the very popular Salesforce customer relationship management system. The real security variable is not whether or not you use Salesforce. Rather, the security variable is how well the program is configured, used and maintained. There are 100 Salesforce configuration options that can make the platform more or less secure.”

McDonough says it is common to see organizations playing it fast and loose in their implementation of client services technologies that could be made far more secure. He pointed to the example of one of the largest banks in the world allowing 20 or more employees to share a single set of login credentials in sensitive systems.

“When someone new joined the team, they got the password,” he says. “When someone left the team, the people who stayed behind didn’t change the password. That’s the kind of human element we’re talking about.”

Process, Process, Process

Murphy and McDonough agree that cybersecurity is all about process. Process means such things as regularly reviewing the privileged accessing of data and the use of that data across the organization. It means conducting regular reviews of the list of active administrators and their responsibilities and activities. It means tracking ongoing cybersecurity efforts through a detailed security log.

“The cybersecurity threats always evolve, but the attributes of really secure organizations remain the same,” McDonough says. “They enthusiastically embrace the need to conduct penetration testing and the need to train their people about the risks of ‘social engineering’ and other sophisticated phishing efforts. If you think back to all the big headline hacks of recent years, I can think of only one, the Equifax hack, that didn’t start with social engineering that took advantage of the human element. That’s the only one that started with a pure technical hack.”

For its part, to address the human element, Murphy says John Hancock Retirement Plan Services has embedded solutions and analytics systems behind the scenes that are proactively identifying bad behavior that is not actually trying to compromise the network from a technical perspective, for example when a fraudster pretends to be a real participant.

“Overall we’re actually less concerned about a technical breach of our systems than we are concerned about the potential for fraud that exists when participants aren’t practicing good cyber health on their own,” Murphy says. “They may be sharing passwords or using repetitive passwords, or they may have very weak passwords that they never change. For us as providers, advisers or plan sponsors, this situation means we have to be extra vigilant. These types of analytics tools are becoming much more prevalent in the retirement plan industry today, and we’re very happy to see that.”