The need for robust security in the retirement plan industry

Cyber-attacks have increased aggressively over the past years, and are affecting every industry. While it started with few risks, the reality is that they occur every day, and are only increasing in complexity and sophistication. Since the pandemic, India registered the seventh-highest malware encounter rate across the region, at 5.89% in the past year, showed the Microsoft's Security Endpoint Threat Report.

For any player in the retirement plan industry, property or data theft would mean a loss of trust, which could be devastating. The majority of participants find their plan advisors through referrals and 70% switch advisors if they feel low levels of trust. For plan sponsors (that is, employers of the retiring employees), the cost of the data breach includes the costs involved in detecting the extent of the breach, recovering data, and restoring systems integrity.

Hence, it is critical that both plan providers and sponsors treat cybersecurity as a critical asset in building a business that heavily depends on customer trust and satisfaction.

The retirement plan industry - an attractive target

Individual Retirement Accounts (IRAs- a special type of savings account where you can park your money for the purpose of creating a retirement corpus) for over $11 trillion in retirement assets in the US alone and ₹5.99 trillion in India. These accounts contain hoards of sensitive and personal data — such as personally identifiable information (PII), electronically protected health information (EPHI), and financial information — that are permanently linked to the identity of people.

Third parties often require access to much of this information. They include plan administrators, auditors, trustees, insurers, etc. The need for wider access makes the data more vulnerable to attacks. Cybercriminals use phishing tactics such as sending suspicious emails or links which often appear from the individual's bank account with a sense of urgency, such as "Critical changes to your retirement plan”; or even use malware to enter the account holders' systems and retrieve critical financial information. We have also seen cybercriminals use ransomware attacks on servers to threaten and retrieve critical information and gain monetary benefits. For example, In St. Louis, USA, a local grocery workers' joint pension plan server was hacked, and the perpetrators demanded a ransom in digital currencies.

Building a robust cybersecurity architecture

It's no more about “if my accounts or my company will be attacked” but rather, it is now a question of “when?”. The best way to ensure a robust security strategy is to assume that cyberattacks are imminent. If an incident occurs and a security team is only reacting to a threat instead of using preset tools to safeguard systems against it, it becomes rather inefficient and expensive. In retirement planning, there are multiple layers of agencies, hierarchies, and layers that process data and it is very important to have a well-planned disaster recovery protocol. A robust strategy should entail-

Data management to identify, categorize, control, and protect data.

Technology management to ensure that end-to-end applications and security software across all service providers are up to date.

Service provider management to audit and perform due diligence on data security structures of all service providers.

People issues to ensure that all the personnel involved across transactions are trained and are up to date with privacy policies.

Each of these issues needs to be considered across the retirement planning industry landscape, which includes sponsors, fiduciary, record-keepers, etc.

There is a structured approach drawn by the US Department of Labor- advisory council on employee welfare and pension benefit plan to establish a cybersecurity strategy. It begins with every stakeholder in the retirement plan process having a thorough understanding of the data, the processes used, and knowledge of how the data is kept.

Plan sponsors then contribute to a common idea table and employ common security frameworks selected according to their needs. The process usually entails

Identify: Understand the business context, resources to identify risks

Protect: Develop safeguards to limit the impact of a potential cybersecurity event

Detect: Build monitoring and detection systems to identify threats proactively

Respond: Develop a strategy to respond to cybersecurity events, if they occur

Recover: Plan for the restoration of services and resilience from long-term impairment

Even if the frameworks are standardised, the organisation needs a cybersecurity strategy that works uniquely. Therefore, take the ideas from the different sources and apply them. It is also important to make it dynamic and adaptive. Cybersecurity threats evolve every day to become more and more complex. So should a robust security strategy.

This article has been written by Arvind Venkatraman, Chief Technology Officer at Congruent Solutions