As a third-party administrator, you are responsible for handling several administrative duties for other organizations. TPAs typically take on claims processing, loss control, risk management, and retirement plan administration, among other roles. The collection and safeguarding of sensitive participant information fall to you, as well as the timely distribution of payouts to participants and their beneficiaries, day-to-day management of funds, and compliance with all IRS regulations.
What’s more, you are a target for cybercriminals. Despite having sophisticated security systems, large companies, such as Target and Sony, have not been immune to cyber attacks. This trend has caught the attention of the retirement plan industry, and it’s not just the large plans that have to be diligent – but smaller ones too.
As of 2018, EBSA estimates there are 34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion.1 Without sufficient protection, these participants and assets may be at risk for internal and external cyber security threats. In response, The U.S. Department of Labor (DOL) announced new guidance for plan sponsors, plan fiduciaries, recordkeepers, and plan participants on best practices for maintaining cyber security.
Cyber Security Overview
2021 has seen significant ransomware activity during the first half of the year, between hefty ransom demands, major disruptions, and leaked data. Here are a few examples of recent cyber security breaches.
CNA Financial Corp, one of the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack.2 After company data was stolen and CNA officials were locked out of their network, the Chicago-based firm took immediate action by proactively disconnecting its systems. CNA said, “they did not believe systems of record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits – is stored, were impacted.” The restoration was not fully complete until May 12.
On May 14, the Irish National Health Service Executive (HSE) shut down its IT systems following a major ransomware attack, and operations have yet to return to normal.3 Critical patient and staff information was accessed and leaked, including a small amount of HSE data which appeared on the “dark web.” Patients experienced delays and, in some cases, cancellations. It was not until June 30 that online registration for medical cards was restored. Despite the disruptions, Ireland’s public health network said it would not pay the $20 million in ransom, and neither would the government.
According to the latest data breach report by IBM and the Ponemon Institute, the cost of a data breach in 2021 is $4.24 million – a 10% increase from 2019. The global average cost of cybercrime is expected to peak at $6 trillion annually by the end of 2021, due to the proliferation of ransomware attacks.4 Ransomware payouts have risen massively in the past few years, but the real costs go far beyond what’s paid to the attackers.
Intermedia says 32% of victims go five days or longer without access to their files.5 TPAs are no exception. You have responsibility for a lot of participant data – including names, social security numbers, dates of birth, and addresses – as well as account balances. A cybersecurity breach could easily wipe out a participant’s entire balance, not to mention putting your system at risk.
Zero Trust Mindset
Zero Trust security is going mainstream, and for good reason. As cyber attacks become more advanced and businesses move to hybrid cloud and remote work, cyber security is more important than ever. Created in 2010 by Forrester Research principal analyst John Kindervag, Zero Trust ensures verification and authorization for every device, application, and user gaining access to the network.6
In the old castle-and-moat model, implicit trust was the norm. Networks were protected by firewalls, VPNs, and gateways. Today’s IT departments require a new way of thinking because, for the most part, the castle no longer exists in isolation as it once did. Organizations no longer have their data in just one place; information is often spread across multiple locations and devices using the cloud. The Zero Trust mindset reduces the role of the perimeter, driving companies to replace legacy systems and implement a holistic approach to security. Trust no one and nothing.
DOL Guidelines and TPA Firms
On April 14, 2021, the DOL issued guidance on maintaining cybersecurity, including tips on protecting retirement benefits. The guidance comes in three forms: cybersecurity program best practices for recordkeepers and other service providers, tips for plan sponsors on selecting a service provider, and general online security tips.7 To assist plan fiduciaries, recordkeepers, and other service providers responsible for plan-related IT systems and data, the EBSA recommends the following:
- Have a formal, well-documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data stored and in transit.
- Implement strong technical controls following best security practices.
- Appropriately respond to any past cybersecurity incidents.
So what does this mean for TPAs? As a TPA, you are a fiduciary for the plans you administer. As such, you must act with a high standard of care to the plan participants and your plan sponsor client. Following these guidelines ensures that all participant data you manage, along with your systems, are well-protected 24/7.
Every organization is unique in terms of the impact of a breach. For example, a data breach may have more pronounced consequences for your TPA firm than, say, a manufacturing company. As cyber attacks increase in volume and creativity, the risk footprint will expand. If you want to be resilient, the foundation comes from the basics. Here’s what you need to know.
- Enhance Your Password Safety: Passwords are essential to protecting your sensitive information, and they aren’t going anywhere. Many businesses fail to consider password safety as part of their cyber security awareness and training, resulting in a breach. Enforce a strict password policy, including multi-factor authentication and regular password changes. Encourage users to log out of systems after each use, especially in public settings.
- Fight off Phishing Attacks: Phishing is one of cybercrime’s oldest threats, and it’s still going strong. The Anti-Phishing Working Group (APWG) reported over 245,771 phishing attacks in one month.8 Many attacks are more sophisticated, harder to detect, and easier to create and deploy at scale. Train users on how to identify and NOT respond to phishing emails, and keep your systems patched.
- Secure Your Remote Work Practices: Remote work is no longer a perk or an arrangement that moves business processes during a disruption – it’s the norm. While working from home is convenient and has many benefits, it exposes companies to a new set of cyber security risks. To combat threats, limit or remove personal device use, mandate VPNs across your organization, and limit access to what users can see and do.