Think Like a Crook: Plan Sponsors’ Approach to Cybersecurity - Interview With Margaret Haering
Is our retirement safe from a hack? With cybersecurity and corporate hacking constantly making the news, how can plan sponsors and providers effectively protect participants’ retirement savings from this additional threat on top of all the other risks? What should the plan sponsors be watching out for and what additional precautions can be taken?
We look at these questions and rejoin the conversation from earlier in the year when Margaret Haering, Counsel & Assistant Director, Healthcare Policy & Benefits at the State of Connecticut Retirement Plans & Trust Fund. Shared with us the experiences, hindsight and advice for the future, at the 2019 Defined Contribution Forum in Chicago this past April.
Polled live from the 2019 Defined Contribution Forum
Interviewer:
How did you come up with the “think like a crook” concept?
Peggy:
All these instances of unauthorized withdrawals from retirement accounts fascinate me. I started researching cases where retirement plans had experienced thefts of funds from participant accounts. I was fascinated by the various methods that the crooks used to steal.
It completely surprised me that these individuals were able to penetrate systems that everyone thought were reliable, and the information they had at their disposal to penetrate those systems. So, to me it became a game in a way-- to figure out how a breach happened and what plan sponsors can do to stop it. And then, how can we look for the next vulnerability that is always going to be out there? The problem is that these attacks are relentless, and everybody needs to be aware of that.
“The problem is that these attacks are relentless, and everybody needs to be aware of that.”
Public plans have been at the forefront of these breaches, these unauthorized withdrawals. Part of the reason for that is there's a lot of salary information that people can get under the Freedom of Information Act. You can file a request, get the salary of every state employee, and find out where they work. You can get a similar report on who has the highest pension. You can even sort by income, which allows somebody to target the people who are likely to have the biggest balances.
Interviewer:
We’ve been talking about public plans, but what about corporate plans?
Peggy:
The same issues apply. I think what's different with corporate plans is that the crooks may not be able to target the high earners as easily. There was an incident in Colorado last year, which involved corporate plans sponsored by CSX and JP Morgan, where cyber thieves were able to get unauthorized distributions from the plans. The distributions were all sent to bank accounts in Colorado, and the FBI was called. It is still unknown how it happened.
We have to try to track down what happened so that we can figure out where the crooks might go next and plug that hole before somebody gets in there. Hackers aren't just targeting our assets or our participants’ assets, they're also targeting the personally identifiable information that we plan sponsors keep, that we need to keep.
Interviewer:
“Hackers aren’t just targeting our assets or our participants’ assets, they are also targeting the personally identifiable information,” could you perhaps talk a little bit about that?
Peggy:
Any large plan provides a census file to their record keeper. This census file has the name, Social Security number or employee id number, and date of birth for all your employees, for everybody who is eligible to be in the plan. The record keeper needs that to set up the account. If a plan sponsor is transferring from one record keeper to another, then that whole data feed gets transferred. So, it's the motherlode for crooks. Anybody who gets access to that information can wreak all kinds of havoc.
Part of the danger with this information is its longevity; it sticks with you throughout life. If somebody gets this data tomorrow, they can use it for the next 10, 20 years. An individual is still going to have the same Social Security number throughout his or her life. So, the crooks can target you in any number of avenues.
The problem as I see it, is that there are multiple risks, some a plan sponsor can control in terms of controlling how data is transmitted, how it's stored by the record keeper. An equal danger is data breaches over which you have no control. For example, in the Equifax data breach 145 million Americans had their data exposed - with numbers like that it seems like our accounts are more at risk and the level of threats just keep coming.
Interviewer:
So what are some of the red flags that a plan sponsor should be looking for and where are some areas where you think we should be focusing to protect data from unauthorized distributions?
Peggy:
From my perspective, there are two main risks. Many larger plans provide online access to employees, but not everyone uses that mechanism to manage their account. It's actually the people who haven't signed up for online access who are more at risk because it's easier to sign in the first time if all you need is a Social Security number and some other easily obtained information. If I have somebody’s name and position, I can find out a lot about them in about half an hour online.
“It's actually the people who haven't signed up for online access who are more at risk.”
Therefore, the initial account enrollment process has to be made more challenging, and distributions from new online enrollments need to be held up until verification has been obtained from the participant.
Interviewer:
Do you see a vunerability with people that sign up and request for new login details such as, “I can't remember my login information” etc.
Peggy:
Absolutely, some of the vulnerabilities are forgotten usernames or passwords, but the biggest risk is to people who don’t establish their online accounts; they are potentially more vulnerable because of the first time registration.
What's important to remember is that data changes (email address changes, banking information changes, address changes) all of those are potential red flags. Therefore, it is important to put programs in place that make it impossible for somebody who had just changed their bank account data to get a distribution until there is a confirmation from the member.
Interviewer:
You're suggesting that we slow things down so that we make sure we're protecting the data. How do you manage that message?
Peggy:
It simply becomes a case of, do you want your money to go to you? Or do you want it to go to somebody else that you don't know? People who are going to manage their accounts online have already set up their access. They're using it to change contributions, make investment changes and everything else. What’s strange is if somebody for the first time sets up online access and then wants to move everything out of his or her plan tomorrow--that's not normal.
Interviewer:
So you're suggesting that we establish certain red flags that are, for example, linked to the movement of certain amounts?
Peggy:
I think it's already happened within the industry. I've interviewed people from other record keepers, and I've been told that the amount of the distribution that they pay more attention to has gone down. At one point it was $50,000, now it's $25,000. Another red flag is a distribution going to a bank account that isn’t owned by the participant, which happens.
A certain level of inquiry is needed if somebody's sending money from a retirement account to an account that is registered in someone else’s name. There is a service that plan sponsors and service providers can use to verify ownership of a bank account. That's the type of things that record keepers are doing these days to confront these problems.
Interviewer:
We now have polling question for you all because, as Peggy has mentioned this, I would be curious to see how the rest of the audience reacts.
During the past year, has your record keeper modified its protocols to deter unauthorized distributions from participant accounts?
Polled live from the 2019 Defined Contribution Forum
Interviewer:
Well, that's right in line with what you're saying that the record keepers are already on top of that. It’s certainly something that if you're unsure, you should probably be talking to your record keeper and asking what those protocols are and if they've changed them.
Peggy:
Well I think that's interesting. The record keepers don't necessarily want to tell you what they've done. They'll say we've changed their protocols, we're working together with other record keepers to prevent this, but they don't actually want to tell you how they've changed that because the more information they share, the easier it would be for the crooks to figure out where the next level of vulnerability might be. So that is a difficulty; I want to know that the recordkeepers are taking precautions. I don't necessarily need to know what all of them are.
“They'll say we've changed [our protocols], we're working together with other record keepers to prevent this, but they don't actually want to tell you how they've changed.”
Interviewer:
Well, that does take us into potential liabilities as plan sponsors. Can you talk a little bit about that?
Peggy:
Of course, there's no clear regulatory guidance yet on cyber security. Obviously, plan sponsors need to be prudent when managing their service providers, but we haven't yet seen a case where the plan sponsor has been held liable for a situation where participants’ funds have been transferred to somebody else. I suspect someday there may be that case. In most of the situations, I've learned that the record keeper has made up the losses to the participant's account. Very few of those assets are recovered at the bank. When these types of attacks happen, the money goes to a bank account and it's scooped out usually within hours or days.
It is possible for authorities to apprehend a low-level criminal going to the bank and picking up the money. My concern is that someday a plan sponsor is going to be held liable for failing to prevent unauthorized distributions. I don't know when that's going to happen or what the circumstances would be, but it's a real concern. It's the reason why I think we all owe it to ourselves and our participants to get a handle on it.
“I can't imagine having to call somebody up and say, I'm sorry, the $80,000 that was in your account yesterday is gone.”
We need to ask the right questions and make sure that our service providers are doing everything they can to make sure that the money that people are saving for their retirement doesn't go missing. I can't imagine having to call somebody up and say, I'm sorry, the $80,000 that was in your account yesterday is gone. It wouldn’t be a good situation. Even when you the money is paid back; it still makes people feel vulnerable. There is a reputational risk to be avoided at all costs.
Interviewer:
Can you share with us some of the more unusual ways that a cyber-attack was successful that we should be thinking about?
Peggy:
Mail stops have been used in a number of instances; email changes are another way of preventing people from getting notice of transactions. I am aware of one case out of Utah where a perpetrator asked for a check to be sent to the participant’s home address and then later called the customer service center and asked for the tracking number so that he could can pick it up at the facility. In that case, the perpetrator was arrested when he went to pick up the check at UPS. Examples like these show that there are multiple ways of intercepting information and using it to create the appearance of a regular transaction. It's basically penetrating the existing system that's in place and finding some way of either getting past the customer service people or the crooks outsmarting the online protocols to get a distribution.
There is a correlation between distributions and data changes; if there's a data change and distribution request within a day or so of each other or even hours, those transactions need to be focused on.
It's a training issue for staff and record keepers alike. I think what's interesting is the fluid nature of this; once thieves have penetrated a plan they should be expected to keep coming back. It’s not enough to shut down one area of vulnerability. You should expect that the crooks will continue to try to locate others. They're constantly trying to stay one step ahead.
If the risk is never going to disappear, then I think we should all acknowledge that the task is determining what we can do to try to keep up or maybe stay one step ahead. I'm not sure if we can even get that far, but certainly increased surveillance helps.
Interviewer:
We have another polling question to ask the audience. During the past year, has your staff increased surveillance of cyber security risks with regards to plan member data?
Polled live from the 2019 Defined Contribution Forum
Interviewer:
Do you have any recommendations with respect to how we should be dealing with our third party providers? We talked a little bit about our TPAs, but there are other service providers, which also have access to this information. Are they a risk?
Peggy:
One of the things we realized is that when you change record keepers, as we all do every so often, the old record keeper has our data. Moreover, our contract may call for destruction of the data, but they have to retain a certain amount of it for their own purposes. Therefore, when you are transferring from one record keeper to another you might need to figure out what the previous record keeper is going to do with that data? How will it be secured? Internally, one action we’ve taken is that we've tried to cut down the multiple instances where we use Social Security numbers on our forms. We used to have a block for that information on every single form we used.
The best we can do, I think, is to deal with how the data is transferred, make sure it's encrypted, put whatever restrictions you can on the people who have access to it, and then ratchet up the training for those individuals and everybody else.
Interviewer:
So what resources are out there? What are some of the resources out there for those who are interested in learning more?
Peggy:
One of the best things I've seen was the 2016 ERISA Advisory Council publication on Cybersecurity Considerations for Benefit Plans. It's got a wealth of information, such as questions that you should be asking your next provider. What should be in our contract? What types of data security certifications are out there?
The Spark Institute has guidelines for evaluating cybersecurity controls of service providers. Therefore, if you're going to evaluate a record keeper, service provider, cyber security systems, etc., the Spark Institute provides best practices for having a neutral third party evaluate the strength of those protocols without it being disclosed to you, as the plan sponsor. Because what you don't want to do is ask the provider to show how it’s going to protect your data and then, somehow, somebody else gets their hands on it.
There's a SOC 2 report with information about cyber security that service providers can obtain. It's very rigorous; those are the types of things that can provide you with some security. As plan sponsors, we should be able to state that we’ve done our due diligence and ensure that the entities that we're hiring take this as seriously as we do. But there's a lot of research that needs to be done, and unfortunately, I think we've created a bit of a monster with all this data access and reliance on data. We have to find some way to get that genie back in the bottle.
That's my fear. The level of threats and the fact that they're coming so often should give us all cause for some concern.