Cybersecurity: Validate and Communicate Alignment with the DOL’s Best Practices

March 29, 2023

Key takeaways

  • Cyber-criminals are sophisticated, and their tactics continue to evolve.

  • Firms should familiarize themselves with the DOL guidance on cybersecurity and adopt the principles as best practice.

  • While plan fiduciaries do appear to get the basics right, it is clear more work still needs to be done in certain areas.

  • Working with a third-party auditor, purchasing high-quality cyber insurance and working with leading IT specialists are integral if cyber threats are to be contained.

 

Summary

Cyber-attacks against financial institutions have become increasingly ubiquitous over the last few years, due in part to the growing sophistication of cyber-criminals and the ease at which they can access new and advanced technologies.

Recent data found that there was a 38% year-on-year increase in the number of cyber incidents in 2022 [1], with estimates suggesting these sorts of attacks could cost the global economy $10.5 trillion by 2025 [2].

Cyber-crime is a risk, which plan fiduciaries should be cognizant of. According to the latest Department of Labor (DOL) figures, defined benefit and defined contribution pension plans collectively oversee $11.9 trillion in assets [3], making them ripe targets for cyber-criminals.

In this webinar, Broadridge reviewed assessment data from CEFEX®-certified firms and then proposes how firms can shield themselves against the threats of cyber-crime using the 2021 best practices released by the DOL.  

 

A threat not to be underestimated

Today’s crop of cyber-criminals should not be underestimated. “We are not talking about an 18 year old operating from their parents’ basement. These cyber-criminals are well-funded and well-organized entities, which operate like businesses. It can be very lucrative, and the people behind these attacks are well-educated and highly motivated,” explained Steve Walters, Chief Information Security Officer at Infonaligy, a cyber-security firm.

The nature of cyber threats is also rapidly evolving. Previously, the most common type of cyber-attack involved the deployment of ransomware - whereby criminals would access a company’s systems and encrypt their data and records, before demanding payment in exchange for their release. 

Nowadays, institutions are incredibly concerned about the reputational risk that can arise from data leaks, a fear that criminals are all too willing to exploit. Consequentially, cyber-criminals are extorting their victims by gaining access to proprietary or sensitive data (i.e. customer records) and then threatening to make the information public -  unless a ransom is paid.

Even if institutions do acquiesce to these demands, there is no firm guarantee that the cyber-criminals responsible will actually delete the data.

 

Regulators respond to the risk

Conscious of this growing cyber-crime risk, the DOL’s EBSA (Employee Benefits Security Administration) published a comprehensive set of cybersecurity best practices that are aimed at plan advisors, plan sponsors, plan participants, recordkeepers and TPAs. Here is a list of those guidelines:

  1. Have a formal, well documented cybersecurity program.
  2. Conduct prudent annual risk assessments.
  3. Have a reliable annual third party audit of security controls.
  4. Clearly define and assign information security roles and responsibilities.
  5. Have strong access control procedures.
  6. Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
  7. Conduct periodic cybersecurity awareness training.
  8. Implement and manage a secure system development life cycle (SDLC) program.
  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  10. Encrypt sensitive data, store and in transit.
  11. Implement strong technical controls in accordance with best security practices.
  12. Appropriately respond to any past cybersecurity incidents.

“It is vital that market participants take a close look at the DOL guidance. Even though the document is only a few pages long, there is a lot of information packed in there,” said Bonnie Treichel, Founder and Chief Solutions Officer at Endeavor Retirement, a consultancy supporting plan fiduciaries. With the DOL taking cybercrime more seriously, plan fiduciaries need to as well.

 

Cyber-hygiene – more work to be done….

Based on annual policy-and-procedure audits by independent expert analysts, the overwhelming majority of CEFEX-certified firms have foundational cyber-hygiene and data protection policies in place. For instance, most encrypt PII (Personally Identifying Information) on their servers or use multi-factor authentication, and have written policies detailing who can access electronic applications; the procedures for handling security breaches; and a formal disaster recovery plan.

The existence of well-documented policies and procedures should help insulate plan fiduciaries from any legal challenges - should their businesses fall victim to a cyber-attack.

However, there are areas in need of urgent improvement. Some of the smaller firms are guilty of assuming that their diminutive size means they will not be targeted by hackers. This complacency is misplaced, especially as a lot of the attacks today are carried out via automated systems, which do not take into account a target’s size.

It is also clear that policies around remote working need to be tighter. 83% of CEFEX-certified firms told Broadridge that they had written policies clarifying what security measures remote workers should take.  Although this number is high, a significant minority of respondents still do not have a security code of conduct for remote workers.

Remote working – which exploded in popularity during the pandemic – opens institutions up to all sorts of cyber vulnerabilities. For example, if a remote employee shares a work laptop or tablet with their family, then this could lead to the device being compromised (i.e. if a malicious app or game is downloaded). As such, access to work devices needs to be strictly controlled.

It is also essential that plan fiduciaries adopt robust onboarding and offboarding policies. The importance of having a clearly defined offboarding policy was highlighted by the Colonial Pipeline hack in 2021, which resulted in gas shortages across the Southeast US. In the case of Colonial Pipeline, hackers were able to breach the network by using a VPN account, which was no longer in use, but could still access the network.[4]

Irrespective of whether plan fiduciaries comply with the DOL guidelines and adopt best practices, the risk of being hacked can never be truly eliminated. It is vital therefore that firms purchase high-quality cyber insurance to help cover them for losses arising from an attack. And a growing number of CEFEX-certified firms are acquiring insurance – up from 80% of certified firms in 2020 to 88% in 2022.

 

Having clear action steps are critical

Plan fiduciaries need to develop a roadmap and assign roles and responsibilities based on the DOL’s cybersecurity guidance. But first, they should determine their level of expertise in the cybersecurity space. They should consider outsourcing services to a high-caliber IT firm that’s well-versed in cybersecurity matters and can perform regular audits and penetration tests of their systems.

Firms should also consider independent verification of their cybersecurity practices thereby demonstrating to clients and stakeholders that there are proper controls, policies, and procedures in place that meet the best practice standards. This can be done through the CEFEX certification program. Not only does the program assess that a prudent investment process is in place, but it now includes an optional cybersecurity assessment to demonstrate adherence to the DOL’s best practices.

If you would like to watch the complementary recorded webinar on this topic, click here. To learn more about CEFEX certification, visit www.cefex.org.

 

[1] Security Magazine – January 20, 2023 – Global cyber-attacks increased 38% in 202

[2] Forbes – February 6, 2023 – Cyber apocalypse 2023: Is the world heading for a catastrophic event?

[3] DOL data

[4] Bloomberg – June 4, 2021 – Hackers breached Colonial Pipeline using compromised password