While most record keepers have “deep benches” of information technology professionals to secure systems that collect DC participant data, those firms still have different levels of technology, which should concern plan sponsors, said Marina Edwards, senior consultant, Willis Towers Watson LLC, Madison, Wis.
“In those ABCDs of technology (artificial intelligence, blockchain, cloud-based systems and digital delivery), part of cybersecurity is why does an employer care about this?” Ms. Edwards said. “If those ABCDs aren’t state of the art, they want to know what’s the risk. Hackers can take over these 401(k) accounts, which are not insured. And while most record keepers have cyber insurance and fraud policies, like with cybersecurity, not all are the same. Do they have make-whole policies? Who makes the participant whole in case money is removed in a breach? Most record keepers have fraud policies that replace 100%, but some replace less.”
Ms. Edwards said there’s often a disconnect between plan sponsor cybersecurity staff and fiduciary committees over understanding the threat of hacking and what it means.
“The maturity and knowledge of what to look for on cyber issues is stronger with the cyber team versus the maturity and knowledge of cyber issues by the fiduciary team,” she said. “Why is that a big deal? The fiduciary committee has the fiduciary responsibilities. Committee members could be held personally responsible if there’s a loss from a hack under ERISA.”
An example, Ms. Edwards said, is a federal lawsuit filed in 2016 and amended in July by participants in Nashville, Tenn.-based Vanderbilt University’s 403(b) plan. The suit alleges that the university breached its fiduciary duties by giving third parties participant data to market services to them.
“They claimed the plan sponsor didn’t care as much for plan data as it did for plan assets,” she said. “If that court rules plans have to care for data as much as they are required to do for plan assets, they can be held personally liable.”
Willis Towers Watson is working to get their DC plan sponsor clients to develop a cyber fraud policy, a three- or four-page document that’s part of a final plan document that maps out what plan sponsors must do to protect information, Ms. Edwards said. “They should also set up a risk-management strategy including a fraud policy that establishes how data is transferred to record keepers and their duty to monitor record keeper cybersecurity, so we know they completed the due diligence of the provider. We also recommend a review of insurance coverage.”
Even if a company’s record-keeping unit isn’t found to have suffered a breach, there’s reputational risk when an unrelated business is hacked, said Agio’s Mr. McDonough, citing the $1 million settlement reached Sept. 26 between the Securities and Exchange Commission and Voya Financial Advisors, the retail wealth management brokerage unit of Voya Financial. The SEC said intruders impersonating Voya Financial Advisors contractors called VFA’s support line and requested that the contractors’ passwords be reset over a six-day period in 2016. The intruders used the new passwords to gain access to the personal information of 5,600 VFA customers.
Mr. McDonough said Voya’s DC record-keeping business was not involved, but there was a weak link elsewhere at Voya. “People infer that if A is weak, B must be weak,” Mr. McDonough said. “If I’m a hacker, I’d say full speed ahead at going after their other business. People get breached, and many handle that very well. I want to work with those firms. But other firms were intellectually bankrupt on their cybersecurity.”
