Cybersecurity Conference

Staying safe from evolving threats.
Reported by PLANSPONSOR Staff

Cybersecurity is a huge concern in all areas of life, critically in the institutional investing and retirement plan industries. Plan sponsors, asset owners and their advisers want to ensure that their data, assets and systems—as well as those of their providers—are safe. During our Cybersecurity 2023 livestream “Staying Safe From Evolving Threats,” October 12, experts discussed what risks exist; optimal practices for protecting assets and data; and what regulations say, including how best to comply with them. Below is some of our coverage of the event. The recorded livestream is available on demand at planadviser.com/cybersecurity2023.

Best Practices for Cybersecurity Protection

To minimize the impact of potential cyberattacks, organizations should: work with investment managers on complying with the Securities and Exchange Commission’s new cybersecurity rules, adopt prevention measures against threats, and be prepared to respond if an attack happens. These were the recommendations of experts in the session “Best Practices for Cybersecurity Protection.”

Percy Lee, an associate at Ivins, Phillips & Barker, Chartered, discussed the SEC’s new cybersecurity rules, which apply to public companies, registered investment advisers, investment companies and broker/dealers.

“These rules have generated a lot of conversation, including some backlash, since they were introduced last year, so the rules have been delayed for now [for certain organizations],” Lee said.

There are two sets of new SEC cybersecurity rules. The first governs publicly traded companies and was finalized July 26, despite industry pushback. This rule takes effect this year, with initial disclosure requirements effective December 18 and at later dates for smaller reporting-companies.

The second set of rules governs registered investment companies and investment advisers and would require them to adopt cybersecurity policies and report digital incidents. This rule was proposed in 2022 and remains on the SEC’s rulemaking agenda, but the specific timeline for finalization remains unknown.

“According to the rules, which were brought forward by the SEC in July, RIAs, investment companies and broker/dealers would have to adopt written cybersecurity procedures and report cybersecurity incidents,” Lee said.

Although these investment advisory rules do not apply to retirement plan fiduciaries in general, Lee recommended that producers ask their investment managers about their compliance.

“As far as the SEC rules go, it’s important to understand … that [they’re] for public companies now, but I think that’s going to make its way to even private firms that aren’t traded,” said Nick Brezinski, director of information security and network at CAPTRUST.

Roger A. Grimes, a data-driven defense “evangelist” at KnowBe4 Inc., agreed. “It’s always good for any organization to think about what the rules are that apply to you and how you’d respond if you got hit by some cybersecurity incident,” Grimes said. “Just a ton of people have been hit by ransomware over the past couple of years.”

“It’s always good for any organization to think about what the rules are that apply to you …”

Grimes proposed that firms have a plan in place in case a cybersecurity incident were to hit. He recommended to the virtual audience that they know whom to reach out to.

“You don’t want to make those sorts of decisions in the midst of the crisis,” he said. “It’s nice to have a thoughtful plan, ahead of time. If the worst happens, you can approach it in the best way.”

Grimes said institutional investors, plan sponsors and advisers should, as preventative measures:

  • Be cautious of social engineering such as fake emails and websites;
  • Mend unpatched software;
  • Regularly update software, firmware and routers; and
  • Use multifactor authentication and different passwords for every site.
  • “Those four things,” he said. “If you can do them, it will probably mean that you’re very unlikely to get compromised.”

Vetting Providers’ Cybersecurity Processes

How can asset owners, sponsors and plan advisers scope out the bona fides among cybersecurity vendors, whose expertise is key to protecting networks and other digital assets from breaches?

A panel at the “Vetting Providers’ Cybersecurity Processes” session offered safety tips for protection from the legions of hackers. It was moderated by Glenn Davis, deputy director of the Council of Institutional Investors.

One vital tool, according to the panelists, is audits of third-party providers done under the auspices of the Service Organization Control Type 2—aka SOC 2—compliance framework. The framework was established by the American Institute of Certified Public Accountants and is designed to ensure the security of client data that third-party administrators handle. It does this by specifying how organizations should manage customer data. 

Further, speakers said, the SOC 2 Type 2 report outlines a company’s internal controls and details how well it safeguards customer data, specifically for cloud service providers. A third-party audit can reveal whether security protocols are safe and effective.

“This drives confidence and removes speculation” in the screening procedures of providers, advised Jon Atchison, senior lead of governance, risk and compliance at investment adviser firm CAPTRUST.

To cite an example of what can go wrong, Atchison, a speaker on the livestream, pointed to a recent, large cybersecurity failure: the breach of MOVEit file transfer software, which exposed sensitive personal data from governments and businesses internationally and potentially involved millions of people. “MOVEit wasn’t the first and won’t be the last,” he said.

One task for providers is to guard against threats from employees and other insiders, said panelist Allison Itami, a principal in Groom Law Group, whose Employee Retirement Income Security Act practice focuses on data privacy and data security. These in-house folks can pose a risk of theft or fraud, Itami said. “As long as humans are involved,” cyber vulnerabilities will be around, and a lot is at stake, she said. “If you lose money or have a data breach, trust is eroded.”

What is vexing is that no absolute shield exists to foil cyber mischief. “No one can be 100% safe,” said panelist Mario Paez, national cyber risk leader at Marsh McLennan Agency, which sells insurance to organizations to protect against breach liabilities.

Some think that other business insurance, not tailored to digital crime, will be sufficient—and they are wrong, Paez said. Certainly, specialized cybersecurity policies are complex, “and the devil is in the details,” he stressed. For that reason, he continued, it pays to get a cybersecurity-savvy insurance broker to advise on what is best for a company’s particular needs.

Insurance, he said, must cover a range of necessities that can be created by a breach, including: extortion coverage in case of a ransomware attack; business losses; the costs of notification to people affected by a breach; and forensic probes of how and why an incident occurred.

Speakers

Nick Brezinski

Director of information security and network, CAPTRUST

Larry Clinton

President and CEO, internet security, Alliance

Roger A. Grimes

Data-driven defense evangelist, KnowBe4

Percy Lee

Associate, Ivins, Phillips & Barker

Thank you, Marsh McLennan Agency, for supporting the event.