Avoiding lawsuits, improving retirement readiness, documenting plan decisions, auditing follow through, benchmarking fees, selecting an auditor, maintaining clean data, coordinating communications with third-party vendors—the list of priorities for plan sponsors goes on and on. Here is an item that should be moved to the top of the list: cybersecurity.
One of the most significant short-term threats to cybersecurity in the financial services industry is the scarcity of tools that can be used to firmly authenticate clients. In retirement plan services, the issue arises whenever plan sponsors, recordkeepers, or other plan fiduciaries try to confirm the identities of lost or non-responsive participants in order to reunite them with their savings.
Personal data is publicly available
Authentication once was a fairly straightforward task. People could verify their identities by providing Social Security Numbers, dates of birth, mothers’ maiden names, or passwords. When this data became compromised, they were asked to answer security questions. Unfortunately, social media and data breaches have made personal identifiers more readily available to cybercriminals.
Today, companies in financial services have begun to use knowledge-based authentication to protect plan participants. This relies on ancillary information related to the person being authenticated. For example, a company might ask, ‘What was the color of your car in 1970?’ It can be accurate, but it will be viable for a fairly limited period of time.
Biometric measures are becoming more important, too. Over time, quantum cryptography could better define identity. However, the data and infrastructure required will be immense.
Until alternate forms of authentication are available, plan sponsors, consultants, recordkeepers, and others in the retirement plan services industry are responsible for protecting data integrity and authenticating participants’ identities using the technology currently available.
DOL ERISA Advisory Council expectations
In November 2016, the Department of Labor’s ERISA Advisory Council published Cybersecurity Considerations for Benefit Plans. The appendix is a resource for plan sponsors and service providers. It offers insight to the council’s expectations for plan security.
“Common cyber risks to benefit plan participants include identity theft, privacy breaches and theft of assets. The cost of a breach, which includes detecting the extent of the breach, recovering the data and restoring the system, can be substantial. Cyber threats cannot be eliminated but they can be managed… It is critical for plan sponsors, administrators and service providers to have a strategy to (1) manage data and assets with the objective of minimizing exposure to the cyber threats that exist now and that will develop in the future, and (2) respond and recover should a breach occur.”
Cyber attacks are a growing problem; one that needs to be addressed by retirement plan sponsors and plan service providers. Some in the industry already have adopted biometric solutions, including voice metrics and fingerprints, to reduce fraud and accelerate authentication.
How to manage lost and unresponsive participants
Biometric solutions can improve security for current participants, but they are of little or no use when it comes to authenticating lost and unresponsive participants. In fact, the poor quality of plan data can make authentication of these participants and their beneficiaries particularly challenging.
Safe harbor IRAs—specialized individual retirement accounts for former employees who remain plan participants and have balances of $5,000 or less—can be an important component of any plan sponsor’s comprehensive cybersecurity plan.
For many years, plans with automatic IRA rollover provisions have relied on safe harbor IRAs to reduce administrative headaches and decrease plan costs. The IRAs also preserve former participants’ tax advantages, while IRA custodians locate missing participants and remind them of their forgotten savings.
From a cybersecurity perspective, safe harbor IRAs can eliminate the need for plan sponsors and fiduciaries to authenticate the identities of former employees. Rollover IRA custodians, like Millennium Trust, have been tasked with locating missing participants and reuniting them with their retirement savings. These firms have developed effective processes for locating and authenticating missing participants and their beneficiaries.
Document your process for assessing cybersecurity
Cybersecurity evolves constantly. Whether you’re assessing the capabilities of a new or current service provider or documenting your company’s authentication process, it’s critical to ask the right questions. If you’re not sure what you should be asking, the Federal Financial Institutions Examination Council (FFIEC) provides a cybersecurity assessment tool that may help.
In addition, the FFIEC advises: “As part of cybersecurity, institutions should consider management of internal and external threats and vulnerabilities to protect information assets and the supporting infrastructure from technology-based attacks.” In the best case, that means implementing cyber security measures and developing a culture of technology sensitivity across through ongoing communications, mandatory training, and periodic testing.
Terry Dunne is senior vice president and managing director of Retirement Services at Millennium Trust Company, LLC. Dunne has over 35 years of extensive consulting experience in the financial services industry. Bob Kunimura is chief technology officer at Millennium Trust Company. Millennium Trust Company performs the duties of a directed custodian, and as such does not sell investments or provide investment, legal, or tax advice.
Before retirement, Terry Dunne was the senior vice president and managing director of Retirement Services at Millennium Trust Company, LLC. Mr. Dunne has over 40 years of consulting experience in the financial services industry. He has written extensively on retirement planning, industry trends, technology, and legislation. Millennium Trust performs the duties of a directed custodian, and as such does not sell investments or provide investment, legal or tax advice.