Written by: Terry Dunne , SVP and Managing Director of Rollover Solutions Group and Robert Kunimura, CTO at Millennium Trust Company
With technology changing every day and information increasingly exchanged in and out of physical and virtual environments, cybersecurity has to be a priority for Plan Sponsors and Plan Service Providers. Recordkeepers and Third Party Administrators are natural targets for a cyber-attack.
These companies hold sensitive data for employees in retirement plans. This data, referred to “personally identifiable information” or “PII” may include social security numbers, addresses, dates of birth, etc. With millions of records of data, hackers have used online systems to steal personal data and distribute retirement assets to improper parties.
The ERISA Advisory Council first issued a report in 2011 titled; “Privacy and Security Issues Affecting Employee Benefit Plans” [1] which addressed cybersecurity considerations for benefit plans. In November 2015 the ERISA Advisory Council suggested a future Council explore this issue. Just recently on August 24, 2016 the Council met at the US. Department of Labor Headquarters to hear invited witnesses to discuss this topic.
While ERISA continues to explore this topic related to employee benefit plans, it is important that companies have a secure plan of action and strategy when it comes to cybersecurity, especially companies in the financial services space. It is critical to not just make certain that the data is protected, but that the people who have access to the data are regularly monitored. Clearly, cybersecurity risk needs to be managed, and companies need to develop defenses and even then, the results might be catastrophic.
According to Panda Labs, there were 84 million new malware samples throughout 2015. [2] This is 9 million more than the previous year. [3] In 2015, cybercrime cost the average United States firm $15 million. [4] According to research from Juniper Research, cybercrime costs will reach $2.1 trillion globally by 2019. [5] Would it surprise you that 59% of employees steal proprietary corporate data? [6] Or, that cyber-attacks have resulted in 68% of funds lost which will probably never be recovered? [7]
Many companies, large and small, have had cybersecurity problems in the last five years. Target, Home Depot, and even the Internal Revenue Service have been amongst those attacked in recent years. 8 According to the 2016 Cost of Data Breach Study: United States , conducted by Ponemon Institute LLC and sponsored by IBM, the average total cost of a data breach is $4 million. 9 Companies should take measures to address these issues and costs.
A few years ago, companies focused on assembling a very hard perimeter shell facing the Internet. Yet unfortunately, once compromised, the hackers could virtually run “wild.” Cybersecurity should be assembled in layers. A layered approach gives companies the ability to better monitor, assess and contain breaches. Then, if an incursion occurs, the Technology Security team is much better positioned to compartmentalize, seal-off and eradicate the threat.
In general, financial service organizations should implement a comprehensive infrastructure with state-of-the-art security components architected into the platform. All technology infrastructures must be managed and monitored around the clock. Confidential information that is collected must be stored and transmitted in an encrypted or otherwise secure form. Third party vendors receiving confidential information must be subject to confidentiality requirements that are at least as restrictive as those set forth by the financial services firm. In addition, proper training must be continuously provided to all employees.
In 2014, JPMorgan suffered through a data breach that affected 76 million households. 10 Most companies should expect to be breached and should implement strategies around how to manage this inevitable event. It truly is a matter of “when”, not “if”.
One of latest threats is called “Ransomware”. The threat enters the company’s systems, usual through what looks to be a benign e-mail, and encrypts key files. The encryption key is provided for the files only if the ransom is paid (which is usually via Bitcoin). Otherwise, the files are rendered inaccessible and must be recreated or reloaded from backup archives.
Another approach often used by hackers is to piggyback on the use of electronic greeting cards. The recipient is enticed to open up the greeting card and, once opened, the malware is unleashed upon the computer system. The first task it executes is to search out the address book and send copies of itself via e-mail from the now infected user to all entries in the address book. Since the e-mail comes from a known user, the threat quickly propagates itself across many, many unsuspecting users.
For social media, the big issue is phishing. There are 1.6 billion social network users worldwide, and 64% of Internet users access social media services online. 11 Users are often induced into clicking on websites that corrupt a company’s system and/or steal valuable data. The hackers often steal logos or other key information to trick employees to click on to a website. Employees must be trained to notice when they receive an e-mail which may look fabricated or if they receive an e-mail which is not appropriate to the context of their normal work or personal patterns. Examples: the employee receives notification from UPS about a package delivery however, the employee hasn’t ordered a product to be delivered via UPS; the employee receives a holiday greeting card, but it is mid-summer, not December; the employee receives a Best-Buy gift certificate via random e-mail and they are instructed to follow an arbitrary link to retrieve it.
In summary, a company should follow the proper steps when it comes to cybersecurity:
Even with the proper steps being followed, how are corporations measuring the success of their current security system? The following questions should be asked:
If the answer is no to a few of these questions, this is good. Managing cybersecurity with the steps listed will not shield companies completely, but taking the steps listed above can help avoid costly risks. It is very important that companies take the time to invest in training their employees to recognize possible malware, as well as what to do when this occurs. By doing this, a cyber catastrophe can be avoided, or at the very least, minimized.