Plan Sponsor Interview with Margaret Haering on Cybersecurity and Data

As fiduciaries, what new and additional measures have you implemented on the cybersecurity front for your participants this past year in the face increased concerns? 

We have encouraged all participants to register for online accounts access (even if they do not use that method for conducting transactions) to prevent bad actors from using stolen data to obtain online access in their name.  We encourage all participants to “consent” to multi-factor authentication (our TPA made it optional).  We remind participants to check accounts regularly and to notify the TPA immediately if their email address/password has been compromised. 

What additional tools have you seen in the industry or at other plans that you hope to roll out? 

Some TPAs offer voice authentication for participants.  I suspect that may be platform driven.  We have not implemented anything like that yet. We are making MFA mandatory.

How do you view the current set of DOL guidelines and regulations on plan cybersecurity? Do you think they are ample in for the industry currently, or would you like to see additional measures and languages based on what you have witnessed?  

The DOL guidelines and regulations on cybersecurity are a good start.  However, we still need to address the human factors that make cybertheft such a risk.  Customer service employees still get fooled into ignoring their intuition, training or established processes to “help” somebody out.  In one recent case, customer service employees noticed mismatched signatures and commented on seemingly irrational behavior --but authorized distributions anyway.  Every fraudulent distribution requires review of the choices that enabled it.  Are protocols so cumbersome that required account change notices are not (or cannot be) communicated to the participant in a timely fashion? Are waiting periods for distributions following a bank account/address changes sufficient?  Are dollar thresholds for verification procedures (like bank account ownership) set too high?  

Do plans like yours face any unique risks when it comes to cybersecurity compared with other public or private plans? What would your advice be for comparable plans? 

Due to Freedom of Information requirements governmental employees have their names, agencies, and compensation posted online in searchable databases.  Retirees’ pension amounts are equally accessible. All of this disclosure in the name of “openness” makes it easier for thieves to target participants likely to have high plan balances.  Ceasing this practice would afford more protection to governmental plan participants.