The $5 trillion in retirement plans have become a “tempting target” for hackers to access sensitive information held by plan providers in the industry, so two legislators asked the Government Accountability Office to examine data protections, processes and procedures within the private retirement system.
U.S. Sen. Patty Murray, D-Washington, and U.S. Rep. Robert C. “Bobby” Scott, D-Virginia., sent the letter in February, saying that cybersecurity protections are ill-defined, especially when it comes to what needs to be done in the event of a data breach. The legislators asked the GAO to examine 10 pointed questions around the safety of the private retirement system.
“It is important that workers and retirees know their savings are in fact safe, and that a cyberattack will not throw the retirement they have spent years working and planning for into jeopardy,” the letter said.
While there is no hard data on retirement-savings breaches, and organizations remain tight-lipped to minimize exposure to cybersecurity risks, it appears to be a growing threat to companies large and small that offer retirement plans.
Currently there is no comprehensive national law governing cybersecurity in the private retirement sector, a December working paper published by the Pension Research Council reported. The intent of the paper was to put into context the challenges faced by the industry today, said Ben Taylor, senior vice president at Callan LLC and one of the four authors of the paper.
In the retirement business, a lot of money and personal information is at stake. Names, birthdates, addresses, Social Security numbers, bank accounts and other sensitive information are all common data points that are transferred between organizations and providers. Right now, there is no set framework or standard for how this information should be protected, Taylor said.
“There is a lot of gray area when it comes to cybersecurity,” he added.
While there is no hard data on retirement-savings breaches, it appears to be a growing threat to companies large and small that offer retirement plans.
In fact, Taylor noted that in some cases, it is hard to determine where a plan sponsor needs to go to report a hack. He added that one client, who didn’t know which law enforcement handled breaches in his area, ended up going to the state highway patrol — the presiding authority for cyberthreats in that state.
“It’s a pretty complicated matrix of threat responses,” for plan sponsors to know about, he added.
The private sector hasn’t waited for the federal government to come up with cybersecurity standards for the industry. The SPARK Institute, which stands for the Society of Professional Asset-Managers and Recordkeepers, created the Industry Best Practice Data Security Reporting standards in September 2017. With this paper, SPARK established 16 data security control objectives that service providers can use as a communication tool to show their level of cybersecurity sophistication.
Providing information to plan sponsors in the world of cybersecurity can be complicated for service providers, said Tim Rouse, SPARK’s executive director and co-author to the Pension Research Council’s working paper. Plan sponsors want providers to explain how data are protected from breaches. Meanwhile, providers need to keep some level of secrecy to protect against being hacked. The SPARK standards created a base of communication between providers and plan sponsors that uses a third-party auditor to evaluate and then relay to plan sponsors the provider’s level of data protection.
Rouse said the standards are not meant to guarantee against data breaches. It’s more of a tool for plan sponsors to use when evaluating service providers.
“If a provider’s [security processes] information gets distributed to a plan sponsor, it’s just as good as becoming public knowledge. It becomes the road map that the bad guys can use to get into someone’s system,” Rouse said. “A third party auditor brings flexibility to the system. The hackers don’t know what they are up against.”
Using a third-party auditor to evaluate a provider’s level of sophistication has worked well, said Neal Ringquist, executive vice president for Retirement Clearinghouse, an industry service supplier, specializing in providing consolidation and portability services to defined contribution plans.
To protect Retirement Clearinghouse’s process, “There are certain things that we would not want to disclose” to a client, Ringquist said. “This is a middle ground that can accommodate both sides.”
While SPARK’s standards help provide some level of assurance, industry experts agreed national standards are needed.
“It is clear that the lack of cybersecurity expertise in the adviser community, the need for plan sponsors to protect participant data, and the lack of a uniform standard or process for third-party audits of cybersecurity measures all call for a solution,” the working paper said.
Getting to that national solution for the retirement industry will be difficult, experts agreed. Issues including determining the regulator for cybersecurity, coordinating state and federal rules, possibly setting a required level of insurance coverage are all part of creating an overall solution. In addition, lawmakers will need to consider whether failing to protect plan data would result in plan sponsors breaking their fiduciary obligations.
“The industry is looking for clarity on how to respond and distinguish different types of threats,” Taylor said. “Determining how and when to do what can be an extraordinary challenge.”