Welcome to Pensions, Benefits & Investments Briefings, Nossaman’s podcast exploring the legal issues that impact governmental, private and non-profit pension systems and their boards. Be sure to subscribe wherever you listen to podcasts so you don't miss an episode!


  • Cybersecurity Risk Management for Pension Plan Administrators: Tips for Staying Ahead of the Hackers

    With recent well-publicized data breaches impacting pension systems and their retirees nationally, as well as increased Department of Labor scrutiny surrounding cybersecurity policies and procedures implemented by ERISA employee benefit plan fiduciaries upon audit, the topic of cybersecurity risk management is even more top of mind for pension plan administrators. In this episode of Pensions, Benefits & Investments Briefings, Ashley Dunning and Michelle McCarthy welcome Peter Dewar, President of Linea Secure, and Amy Timmons, Senior Vice President of Administration & Technology Consulting at Segal, to discuss pension systems’ cybersecurity risk management and the impacts of artificial intelligence (AI), social engineering and “whaling,” as well as best practices and lessons learned with respect to pension systems’ cybersecurity risk management.

    Transcript: Cybersecurity Risk Management for Pension Plan Administrators: Tips for Staying Ahead of the Hackers

    0:00:00.0 Ashley Dunning: With recent well publicized data breaches impacting pension systems and the retirees nationally, as well as increased department of labor scrutiny surrounding cybersecurity policies and procedures implemented by employee benefit plan fiduciaries upon audit, the topic of cybersecurity risk management is even more top of mind for pension plan administrators. Today, we will gain insights from three experts on pension systems cybersecurity risk management, continuing a discussion we began in our podcasts nearly two years ago. In this podcast, we will continue our focus on highlighting best practices and discussing lessons learned with respect to pension systems cybersecurity risk management.


    0:00:56.2 Speaker 2: Welcome to Pensions, Benefits & Investments Briefings, Nossaman's podcast exploring the legal issues impacting governmental, private and nonprofit pension systems and their boards.

    0:01:11.5 AD: Welcome to another episode of Nossaman's Pensions, Benefits & Investments Briefings. I'm Ashley Dunning, Co-chair of Nossaman's Pensions, Benefits & Investments Group, and I'm joined today by three experts to help us address this important topic of cybersecurity risk management. First, I'm joined by my law partner Michelle McCarthy, who specializes in legal compliance advisory work for both ERISA and governmental plans, including among other topics, Department of Labor guidance on how plans governed by ERISA are to address cybersecurity risks. We also are joined by two leading cybersecurity experts who consult with pension plans globally. Peter Dewar, President of Linea Secure, and Amy Timmons, Senior Vice President of Segal Consulting. Welcome, Michelle, Peter, and Amy.

    0:02:07.1 AD: So, starting first with Michelle to give us a little context here, it's my understanding that historically, the US Department of Labor or DOL has been relatively quiet with respect to fiduciary's responsibilities to protect ERISA-covered benefit plan data. That is until April 2021 when it issued new guidance for addressing cybersecurity risks associated with benefit plans. What changed?

    0:02:35.5 Michelle McCarthy: It's important to note that leading up to the issuance of the guidance, there were a number of data breach incidents and cyber thefts that involved employee benefit plans, and that included a number of identity thefts and fraudulent withdrawals of participants retirement funds. And with these types of employee benefit plans, especially pension plans, it's critical to remember that there is a lot at stake. Because in addition to holding billions of dollars in assets, employee benefit plans contain personal data regarding participants, including the names, date of birth, addresses, phone numbers, Social Security numbers, beneficiaries, and with respect to health and welfare plans, it could include health data, among other things.

    0:03:21.3 MM: And while the assets that are taken from an employee benefit plan can be quantified, the value of the stolen data is effectively unknown. Through issuing this guidance, I think the DOL was just clearly trying to signal to plan sponsors and fiduciaries that it expects them to implement strong cybersecurity practices and oversight of third party providers so as to reduce an organization's exposure to cybersecurity events.

    0:03:48.9 AD: That's really helpful context. Thank you. Could you please summarize the Department of Labor's cybersecurity guidance that they've now promulgated? And specifically what does it direct both plan sponsors and fiduciaries to do?

    0:04:04.5 MM: Sure. So the first piece of the DOL guidance is titled Tips for Hiring Service Providers, and this outlines factors that business owners and fiduciaries should consider when selecting retirement plan service providers. Specifically, it recommends that fiduciaries ask about the service provider's data security standards and audit results and benchmark those against industry standards. It also recommends that plan sponsors and fiduciaries ask about past security events and responses and evaluate service providers track record with respect to prior security incidences, like how have they responded to litigation or security leaks.

    0:04:40.5 MM: It also recommends that plan sponsors confirm that the service provider has adequate insurance coverage that would cover losses relating to cybersecurity and identity theft, including losses caused by both internal threats and external threats, for example, employees versus third party fraudulent access to participant accounts. Finally, the guidance provides that plan sponsors should ensure that the services agreement permits the plan fiduciary to review the service providers cybersecurity compliance audit results, and require ongoing compliance with cybersecurity standards.

    0:05:11.7 MM: There were two other pieces of DOL guidance. The first of these is called The Cybersecurity Best Practices. This is directed squarely at ERISA plan record keepers and service providers who have access to plan-related IT systems and plan data. For example, like a plan administrator that the plan sponsor would share the participant data with. This is probably the most detailed of the three pieces of sub-regulatory guidance, and it summarizes 12 best practices that service providers should implement to mitigate exposure to cybersecurity risks. Since Amy is going to be discussing these best practices in more detail, there's no need for me to summarize them here.

    0:05:46.6 MM: But I would just say that although this guidance is specific to service providers, the DOL points out that plan fiduciaries should be aware of these best practices so as to enable them to make prudent decisions when hiring a service provider. For this reason, we've been recommending to our clients that are plan fiduciaries issuing RFIs or RFPs or negotiating agreements with service providers to use this as guidance to determine the minimum standards to request as representations from service providers when entering into new agreements. And we also recommend that the plan sponsor engage in meaningful negotiations over these types of terms, and that they document what they've done in order to ensure that these cybersecurity practices are complied with by the third parties that they hire.

    0:06:32.7 MM: The last piece of DOL guidance is called Online Security Tips. This is directed at plan participants and beneficiaries, and it informs them of ways to keep their online information and account safe. And some of these security tips include the use of multi-factor authentication, keeping contact information current and avoiding phishing attacks. And we just recommend that plan fiduciaries, plan sponsors circulate these, provide notices to plan participants in order to help plan participants know ways that they could mitigate their exposure to cybersecurity threats. And this also is important that plan sponsors do circulate these types of notifications to plan participants in order to demonstrate to the DOL that they have complied with the guidance.

    0:07:21.2 AD: Michelle, that was very helpful for providing the DOL guidelines here. And I'd like to turn to Amy now to have you share with us what you're seeing with regard to organization's compliance with DOL guidance regarding cybersecurity, if they're an ERISA plan or even if they're not necessarily governed by it, but perhaps looking to it for that guidance. And where are you seeing the biggest gaps between the DOL guidance and what organizations are actually doing?

    0:07:56.6 Amy Timmons: So thank you, Ashley. The DOL guidance has really set the standard for most organizations on what they should be doing with regards to cybersecurity, whether they are an ERISA plan, whether they're a health plan or a pension plan, and whether they're public sector or not, it has become sort of the baseline measurement of how well you're doing on cybersecurity. If I look at the organizations that we've worked with, most of them are striving to comply. They're looking at the guidance and assessing where they're at, and most of them have done a pretty good job on the basics.

    0:08:33.7 AT: But for each of the 12 different guidelines, there's gaps. So, if you are looking at having a well documented cybersecurity program or an effective business resiliency program, those things are on paper. They may be very well written on paper, but they haven't been tested or tested regularly. The second part of that program though is making sure the user knows what to do. And that's been another gap, is that the users don't know what to do. IT knows, but the business user, which is a person usually first faced with a hack or a breach, and they don't know what to do. So it's educating that average user.

    0:09:17.1 AT: If you look at the next kind of group of guidelines, which include information security roles and responsibilities, strong access controls, strong technical controls, and a secure system development lifecycle program, those, many of them were loosened during COVID or have been loosened up for hybrid work or remote work. Now is the time to be reviewing them and see if they're still appropriate in today's environment and what you are doing in your work environment with your people. Not all of them are up to date. There's been new roles created, there's been new needs, people have changed roles, and there's new tools that can help you monitor and track roles, and those things need to be implemented to better secure yourself.

    0:10:03.6 AT: Another guideline is conduct periodic cybersecurity awareness training. What I'll say is the key word in there is periodic. It's not a one and done. I've seen a lot of clients have hired people, done great training for them and then never done it again. And so the thing is to continually train your employees about cybersecurity awareness and what they can expect. Encrypting sensitive data store and transit, pretty standard. Most people are doing this, but what I'll say is make sure you encrypt everything. You're encrypting your phones, you're encrypting your laptops, you're encrypting your tablets, you're encrypting your desktops, et cetera, et cetera, et cetera. Anything that can be touching that data should be encrypted.

    0:10:54.2 AT: Conduct prudent annual risk assessments and have reliable annual third party audit of security controls. What we're seeing clients facing is there are a variety of standards. There's NIST, there's HIPAA, there's SOX, there's SPARK, there's ISO. So, first question is, which standard do you comply with or which standard do you assess yourself with? And then the second piece is making sure it's done by a third party, giving you that fresh objective set of eyes looking at it. Appropriately responding to past cybersecurity incidents, Michelle already highlighted this when she talked earlier. You can't do an assessment and have audit or assessment findings and not do anything.

    0:11:33.9 AT: In the DOL eyes, at least from our experience, that's even worse than not doing the assessment at all, because then you are knowingly allowing a gap in your security. But I will say, at the end of the day, the biggest one needing action is in fact assessing the security of your third party service provider and making sure that their security is sufficient for your needs and that you're comfortable with them. And then, depending on your findings, if it is a vendor that is not secure or you don't feel comfortable with their security, it then becomes a decision for senior management and trustees to determine if you wanna continue to do business with them, or if you wanna help them and work with them to get their security to a level you're comfortable with.

    0:12:23.3 AD: Amy, thank you for all of that detail. You ended on third party vendors and risk, and I'm gonna ask Peter a specific question on that. Peter, how do you specifically recommend that plan fiduciaries manage supply chain or third party risks, particularly in light of recent publicly reported incidents that include exposure to annuitant information that Michelle referenced in her introductory comments?

    0:13:04.8 Peter Dewar: Hey, Ashley. Thanks for that question. Supply chain risk management is a very difficult task for many pension funds and organizations generally because the vendors there to use to support many parts of normal business operations, for example, from IT services to actuarial and investment services and beyond, and each service area comes with its own risk profile. We recommend that pension funds specifically adopt a supply chain risk management program that will quantify the level of risk each vendor represents to the fund assets, either financial or confidential information, develop a governance policy on how supply chain risk will be managed and measured, and then evaluate if your supply chain is within compliance of your expectations.

    0:13:45.3 PD: Extend your cybersecurity controls to third parties that have access to sensitive information, ensuring that the protections that you've deemed necessary to manage your organizational cybersecurity risk is extended to those that provide critical services to you. And then perform due diligence, by actively verifying that agreed upon cybersecurity controls are working as planned. This could be accomplished by reviewing either SOC reports or executing formal audits yourself or assessments by and doing that by gathering information through questionnaires as was mentioned before, or performance surveys.

    0:14:26.8 PD: Now, we believe that the best time to encourage a third party to comply with your expected security governance is to include those provisions in your agreements at the beginning of a relationship or during the renewal period. That's when you have an opportunity to encourage them by gently nodding them along that these controls are important to us and that we require them to maintain our cybersecurity governance that we've put in place to protect our information. And now, you as a third party who has access to that information need to also make sure that those controls are working appropriately.

    0:15:09.3 AD: Great ideas. Thank you. Turning back to you Amy, what are the emerging issues or concerns with cybersecurity that you see organizations having?

    0:15:19.7 AT: I will say that the biggest issue right now is artificial intelligence, which is a hot topic everywhere, but paired with that is social engineering. The first reported case of artificial intelligence voice hack happened in March 2019 where hackers convinced a CEO of a UK energy company to send $243,000 to a hacker because they recognized their boss's voice. In October of 2021, fraudsters used AI voice to convince a bank employee to transfer $35 million to a fraudulent account. These are things that aren't necessarily covered by cyber liability insurance because you voluntarily sent the money, and if you don't admit that something happened, you won't get your IT people to quickly try and pull things back.

    0:16:18.7 AT: Fake images are all over the internet, all over the news. You can see those all the time. One of my favorite stories on the fake images is in 2019, a 17 year old generated a fake congressional candidate that was certified by Twitter and Ballotpedia as a legitimate candidate for the election. It's all fake. And then, more entertaining, June in 2022, Metaphysic, is a company, appeared on America's Got Talent and demonstrated a real time deep fake of a singer performing as Simon Cowell. So, it's all over the media. People are going to fall for, oh, I recognize their voice, oh, I recognize that image, that face if I'm on video with them, and it's problematic in every case.

    0:17:10.3 AT: So, what I would say is the three biggest risks from my perspective are AI paired with social engineering. Getting fooled to give information that you shouldn't that allows hackers to get money, get into your system, get information, steal. Part of that is paired with the second biggest risk, which is unknown policies, making sure that people know who is authorized to do what kind of transfers, what's their span of authority, what are your policies and what are the verification steps to make sure it's a legitimate request? And finally, where we're seeing big attacks is on what is called whaling. It's phishing, but it's phishing for targeted executives and key people who have that span of control and that access to transfer money, approve of access to systems and information. Staying on top of those are really some of the biggest risks we're seeing with clients.

    0:18:14.7 AD: So much to think about, Amy. I'm sure your examples give people a lot of pause when they think they also would recognize somebody's voice, certainly their image. That's typically the way that sort of, in my world, one verifies things. And as you point out, that doesn't work with social engineering and AI. And I'm sure the whaling comment will be of interest to many who listen to this podcast as there are some who are going to be more targets for what you're talking about. Peter, in light of all of this and what you also see in your world, consulting on these issues, what are some of the best practices that you would recommend for organizations to adopt so that they can manage this evolving cybersecurity threat?

    0:19:04.8 PD: I think it's best that an organization design and implement a comprehensive information security governance program that proactively manages cybersecurity risk, rather than reacting to each evolving risk as it comes out. The program should align with best standards for enterprise risk management, such as the National Institute of Standards and Technology's Risk Management Framework, the NIST 800-53 Revision 5 Cybersecurity Standards, or the International Organization for Standardization, ISO 27000 series. And there are many others that I won't mention. The program components could include the review and development of governance, cybersecurity and risk management policies, a classification of the data that's collected, generated, and used by the organization.

    0:20:00.8 PD: It could include the development of incident response plans that include the testing of such plans. Also designing and implementing a vulnerability management program so that you could be aware of the evolving threats, as many of our audience have heard about the recent threats that have affected pension fund operations. And so you want to be aware of the evolving threats and determine if you're affected by them. Also, performing penetration testing so that you could see if threats that are out there become actual vulnerabilities for your organization and could be exploited by threat actors. We recommend also creating a cybersecurity awareness and training program so that the organization's staff becomes aware of the threats that they could be exposed to based on the role within the organization.

    0:20:56.9 PD: We recommend developing a system security plan for major applications that specify the security controls, that protects the technology, data and people that use the systems. This should also be consistent with the overall organization security posture and policies. But significantly, organizations should develop a way to measure if they're progressing or regressing in any of the areas identified. Some organizations utilize a scoring methodology that makes it easier to communicate the results of an information security program to non-technical parties such as your board and executive staff. These are some of the things, Ashley, that we recommended organizations do, especially develop an information security program with a comprehensive governance structure that manages cybersecurity risk management similar to the way that risk is managed across the organization in other areas.

    0:21:58.5 AD: Thank you. That's a lot to think about. Amy, without necessarily repeating some of the insights that Peter provided, and I'm sure are right up there for you as well in terms of best practices, are there any other key activities that you're seeing organizations take to better protect themselves?

    0:22:20.2 AT: Other than, as Peter said, it is testing, it's training, it's having that plan and making sure that everybody understands it, there's a couple other activities. One particular to pension plans is encouraging your actives and retirees to register for their online accounts. I can't tell you the number of times and talking with people, they're like, "Oh, I'm not signing up for my online account because then I won't be exposed to that evil hacker." You're actually worse off. As an organization, encouraging people to register and make sure that they're the ones registered for the account, because one of the biggest hacks on pension sides has been finding those inactive accounts and registering and signing up people for those accounts and redirecting their pensions. So that's a huge one. It's a very simple thing to be doing, but it's very important for the safety of the organization and your membership.

    0:23:19.6 AT: One of the other big things that we've seen, and we had a client who had a ransomware attack and didn't have this in place, is having vendor partners at standby and ready to help you when something happens. And I do mean when, because this is not an if anymore, sooner or later something is going to happen that may look like a breach. And if you have cyber liability insurance, they have those vendor partners at standby and ready. But if you don't have that insurance, you need to have a pre-screened, already have a relationship with lawyers, with IT forensic experts, with public relations people, with credit monitoring services, all those things to be ready, because if you don't, it will take you months and months and months before somebody will even talk to you about it. And so you're just way behind on the recovery curve. So, those are probably the biggest things I would say that we're seeing to add on to what Peter already identified.

    0:24:21.6 S2: Those are great takeaways, Amy, and probably of great interest to, whether it's retiree organizations who are trying to inform their own membership about why it matters that the retirees themselves sign up, as you say, for their online accounts, or the administrators who obviously are very busy with all sorts of things, but this has to be high on the to-do list if they don't have it in place already. To that point of staff and managing all of this risk, Peter, I'll end with a question for you. Noting that many funds are challenged to hire skilled and experienced staff to fill the unique roles required for cybersecurity personnel, do you have any recommendations for them as to what to do and and maybe identify some trends in the industry on this point?

    0:25:14.4 PD: Yes, actually I do. So, the staffing challenge is not limited to pension funds, and is being experienced by many public and private entities as organizations compete for the same skilled resources. The challenge is more acute when the mission requires specialized resources in many disciplines and organizations are constrained by the number of personnel that could allocate to any one area, such as cybersecurity per se, which require both technical and non-technical skillsets. Some of the challenges include limited staff with the experience to address the magnitude of the problem being faced. Vulnerabilities are exposed on a daily basis. And IT and cybersecurity positions are very expensive.

    0:26:00.2 PD: The magnitude of the threats across an entire organization, they're expansive, and the ability to identify those threats are limited if knowledge of inherent threats that pension funds specifically face are not understood. To solve this problem, many organizations are turned into virtual information security services that offer an array of options for them to choose from to address the needs that are not being met internally. These combined services include internal risk assessments, penetration testing, vulnerability management, security policy development and implementation, and third party risk management services. Also cybersecurity awareness and training, as Amy had discussed before, and this includes social engineering campaigns and application security plans to protect the major systems that you run.

    0:26:54.8 PD: So, virtual services are scalable to meet the need of an organization where specialists in each domain could be used at a fraction of a cost to carry them, say, as staff members, covering the array of inherent risks and internal and external threats that funds would face. So, these are just some of the ways that organizations are trying to find outside resources rather than carrying expensive staff, especially in a narrow domain, but one that covers the entire organization. It's is very hard to find, say, a technical person that's familiar with the investment process, say, that has a lot of inherent risk. So, when you're moving financial assets around, we're finding that threat actors are inserting themselves into that conversation.

    0:27:48.9 PD: As Amy pointed out, using voice impersonation, they were able to redirect funds. Well, they're doing that during, say, a capital call, a process where you have to fund an investment. And so a threat actor is trying to redirect the funds any manner that they can. It might be using AI or just using regular intercepts of email and so forth, but they're reading board minutes. So, they're understanding your business operation. They understand when you take a position in a certain asset or if you're using a certain service because usually the approval of that contract is public. So, they understand the third parties that you utilize, and they're becoming very smart about how to attack you because you are providing a lot of information publicly that they could consume and craft attacks to exploit any vulnerabilities they could find in your business operation.

    0:28:55.4 PD: And these vulnerabilities might not be technical. They might just be business processes that you are performing that are required business processes, such as the use of an actuary. Most funds do an annual independent actuary evaluation, and threat actors know that you're providing a third party with a copy of your entire participant or census data to someone else. And if I could intercept that transaction that was recently occurred with another service that we are all aware of, then I could get access to your data without actually compromising your systems, but I could then compromise the third party. So, the problem is huge, and having the right services or staff mixture to mitigate the evolving threats is a challenge that many organizations are facing today.

    0:29:55.5 AD: Thank you for that, those insights, and we will conclude this podcast now with a big thanks to all three of you, Michelle, Peter, and Amy, for contributing to our knowledge in this important and evolving area. For additional information on this topic and other pension issues, please visit our website, at nossaman.com, and don't forget to subscribe to Pensions, Benefits & Investments Briefings wherever you listen to podcasts so you don't miss another episode. Until next time.


    0:30:30.7 S2: Pensions, Benefits & Investments Briefings is presented by Nossaman LLP, and cannot be copied or re-broadcast without consent. Content reflects the personal views and opinions of the participants. The information provided in this podcast is for informational purposes only. It is not intended as legal advice and does not create the attorney-client relationship. Listeners should not act solely upon this information without seeking professional legal counsel.


Jump to Page

We use cookies on this website to improve functionality, enhance performance, analyze website traffic and to enable social media features. To learn more, please see our Privacy Policy and our Terms & Conditions for additional detail.