Provider Due Diligence: Key to Avoiding Catastrophic Cyberattacks
Oct 05, 2023
The
recent MOVEit breach highlighted the need for plan sponsors to carefully vet
service providers in order to protect participants’ assets, data and personal
information.
With the
increased frequency of cyberattacks, including within the retirement industry,
plan sponsors have a fiduciary responsibility to ensure that providers with
whom their plans are working are taking cybersecurity seriously.
The recent breach of the encrypted file
transfer software program MOVEit, which
exposed the personal information of participants via financial firms,
universities, the U.S. federal government and the California public retirement
systems, brought to light the far-reaching implications of a data breach, even
though it occurred at a vendor, rather than a plan sponsor.
It also emphasized the importance of
conducting in-depth requests for proposals, as well as annual due diligence,
when considering plan vendors. In the MOVEit case, class action lawsuits have
been filed against companies due to breaches suffered by servers run by other
companies. Incidents can affect plan sponsors, even when they occur several
layers of business away from the plan sponsor itself.
Screening for Cybersecurity in the RFP
Robert Massa, managing director at Qualified
Plan Advisors, says the RFP process is crucial and that plan sponsors should be
asking a series of questions to ensure a vendor’s cybersecurity practices are
up to par. A vendor in this context could be an adviser, recordkeeper,
custodian or any type of service provider.
In the RFP template Massa provides to his
clients, it first asks any vendor to detail its firm’s policies, procedures and
data encryption. This includes tools that the vendor uses to prevent unauthorized
access, fraud, theft and misuse.
Massa says he also asks vendors if they have
ever experienced a breach and, if so, how they handled it. He says vendors
sometimes do not want to answer that question, but plan sponsors have a
fiduciary responsibility to know what has happened.
“No one should be embarrassed about the fact
that they’ve been breached at this point,” Massa says. “It’s more a question of
how you handle it than it is the fact that you got hacked. … You want to know
what [the vendor’s] processes and procedures are for dealing these threats and
protecting that personal, identifiable information.”
For example, Massa says a plan sponsor needs
to know how data is stored and how data is received, especially because the
sponsor regularly needs to transfer a payroll file that contains names, Social
Security numbers, dates of birth, addresses, income numbers and more.
“There’s so much information in there that
is critical, and you want to make sure that that data is protected both in
transit and once it’s encrypted,” Massa says.
Another consideration that can be screened
for in the RFP process is how a vendor deals with a participant who terminates
employment and how their access to their payroll account, for example, is
deactivated.
“It’s painful, but you’ve got to look at the
SOC reports,” Massa says, referring to services organization controls reports.
“You’ve got to be willing to roll up your sleeves and look at these audit
reports and see what [a vendor’s] third-party auditors have said about their
controls.”
A SOC report is governed
by the American Institute of Certified Public Accountants and focuses on
offering assurance that the controls put in place by service organizations to
protect their clients’ assets (data, in most cases) are effective. There are
several types of SOC reports, but plan sponsors should mainly be aware of SOC 1
and SOC 2 reports.
A SOC 1 focuses on outsourced services
performed by service organizations that are relevant to a company’s financial
reporting. A SOC 2 focuses more on operational risks of outsourcing third
parties outside of financial reporting.
Paul Catenacci, senior partner in and head
of the employee benefits practice group at Novara Law, says some providers will
push back when asked about cybersecurity practices and may even ask the sponsor
to sign a nondisclosure agreement in order to receive the information.
“On the provider side, they’ve got some
legitimate concerns too,” Catenacci says. “They don’t necessarily want to
publicize their security protocols. Some are saying [they] don’t want to reveal
how much insurance [they] carry, because [they] don’t want to be a ransomware
target [if] somebody knows [they] have a $30 million insurance policy.”
But Catenacci emphasizes that the Department of Labor expects
employers to make prudent decisions when hiring service providers and that the
vendor-vetting process should be well-documented.
“Plan sponsors need to be practical about
this and [say], ‘Let’s weigh the costs and benefits,’” Catenacci says.
“Certainly it’s a risk we need to manage, but not a risk we can manage in a
vacuum.”
He suggests that a plan sponsor could have
an IT focus group that helps with vetting service providers, as well as a
cybersecurity expert that sits on the plan’s fiduciary committee—if they can
afford it.
The Importance of Cybersecurity Insurance
Jon Meyer, chief technology officer at
CAPTRUST, says it is crucial for plan sponsors, as well as any suppliers to the
plan that process confidential information, to have cyber risk insurance.
“In addition to the financial coverage that
cyber insurance can provide, it can also provide a team of really sophisticated
experts who can assist any organization experiencing a breach, ranging from
forensic information security personnel to lawyers [and] breach and mediation
firms that have the scale and the capacity to contact consumers and support
them with call centers,” Meyer says.
Allison Brecher, Vestwell’s general counsel
and chief privacy officer, said plan sponsors should be aware that there has
been a “sea change” in the cybersecurity insurance market since the start of
the pandemic.
“Carriers are raising premiums and
deductibles and, for some companies, dropping coverage altogether,” Brecher
said in an emailed statement. “Plan sponsors should make sure that the service
providers’ coverage levels, as well as the deductibles, are appropriate.”
Massa adds that a plan sponsor should ask
vendors about their insurance coverage, and he says vendors should be candid
about their errors and omissions policy, cyber policy and their access to
protection in case of a breach.
Know Your Provider’s Provider
At the very least, Massa says a plan sponsor
should ask vendors if the vendor uses any third-party subcontractors.
Hypothetically, a sponsor’s recordkeeper or
third-party administrator could share a company’s data with an outsourced
provider located outside the U.S. Massa says there is nothing illegal about outsourcing
information, but the sponsor needs to know what is being done with that data
before making a decision.
A sponsor may know that a vendor sends
information to a company in Thailand, for example. If that company gets hacked,
Massa says the sponsors needs to know how their employees will be protected
against that breach.
“[The plan sponsor] is responsible for
selecting that vendor and all the decisions that vendor makes,” Massa says.
“Not asking the question and not doing due diligence is absolutely a problem.”
As seen with the MOVEit breach, Meyer
explains that attackers are interested in getting into software products used
across multiple organizations. If a sponsor hears about a major cyber breach,
Meyer recommends they reach out to their vendors and ask if they were affected
or if their suppliers were affected.
“Nobody can guarantee with certainty that
everything they do is immune from that kind of exploitation,” Meyer says. “But
what everybody can do is be really good at knowing their supplier.”
Part of a sponsor’s annual due diligence
should include asking vendors follow-up questions, such as if they use any
services like MOVEit and what their exposure is.
Educating Participants
As the Department of Labor explained in its
cybersecurity best practices, plans need strong control procedures,
guaranteeing that any system users are who they claim to be and that only
appropriate parties can access IT systems and data.
Brecher said when a bad actor gets access to
a plan participant’s login credentials through personal or work email, the bad
actor will often log into the participant’s retirement plan account and take a
distribution.
“These ‘account takeovers,’ as they are
called, have little to do with the service provider, and carriers are routinely
denying coverage for that type of loss,” Brecher said. “The best defense is a
good offense, and plan sponsors should always be reviewing and reminding their
own employees about [the] online security of their accounts, checking their
statements regularly and immediately reporting any suspicious activities.”
Meyer says many breaches can be avoided by
having multi-factor authentication in place. He says having passwordless
security, which might address issues of fraud on the individual participant
level, would be less secure than multi-factor authentication. With passwordless
security, a participant is emailed a one-time password to use. Because
multi-factor requires two steps of verification—a password and then a
code—Meyer argues it is more secure.
Telling employees to create complex
passwords and putting multi-factor security in place, Massa says, makes it more
difficult for hackers to infiltrate accounts and provides an extra layer of
protection in case of a breach.
Source: Plansponsor