A quarterly publication of Fiducia Group, LLC …fiduciaretirement.com/upload/Confero-Issue-23_Fiducia.pdfJenny Lewis Holmes is an associate in Nixon Peabody’s Corporate group and

CONFEROA quarterly publication of Fiducia Group, LLC

Editor ’s Letter | The Roland Roundup | Partner Spotlightalso inside

ISSUE NO. 23

A vAriety of topics discussing CyberSecurity

Fiducia Group Celebrates 10th Anniversary!

subscribe

Now

It’s Free

visit fiduciaretirement.com/confero-magazine to view the online version.Subscribe to Confero by sending your email address to [email protected].

E d i t o r ’ s L e t t e r

Welcome to the Summer 2018 Issue of Confero

Have you ever received an email that looked like it was from someone you knew, but it had a suspicious link embedded in the email? Did you click on it and have your computer light up like a Christmas tree with warning lights? This is an example of how hackers are using emails as phishing attempts to create a breach in cybersecurity. We at Confero magazine believe that an informed consumer is the best defense against cyberattacks. In this issue of Confero we discuss the best way to prevent against cyberattacks and best practices businesses should employ to protect the sensitive information that they are storing. We have gathered some of the best minds in employee benefits, and they show you how you can strengthen your company’s cybersecurity.

M a x K e s s e l r i n g

Confero | 1

Confero | 32 | Summer 2018

4 4

4 0

3 4

2 0

0 1 E d i t o r ’ s L e t t e r

I N T R O

T a b l e o f C O N T E N T S

1 0By Max Kesselring

0 4 F e at u r e d C o n t r i b u t o r s

1 6 4 C y b e r s e c u r i t y T i p s

F E A T U R E D A R T I C L E S

By Troy Guerrette

2 0 B e s t P r a c t i c e s i n C y b e r s e c u r i t y : S e c u r i n g Y o u r D i g i ta l W a l l sBy Gary Nichols & Lew Tucker

3 8 C y b e r s e c u r i t y T r a i n i n gBy Charles J. Privitera Jr.

2 8

3 4 C y b e r s e c u r i t y - A p l a n S p o n s o r ’ s F i d u c i a r y R o l eBy Joan Neri, Esq.

4 0 C y b e r s e c u r i t y : T h e I n d u s t r y ’ s N e x t F r o n t i e rBy Eric Brickman

C O N C L U S I O N

0 8 R o l a n d R o u n d u pBy Roland Salmi

5 0 T h a n k Y o u , C o n t R i b u t o r s

5 2 M e e t F i d u c i a G r o u p

5 3 C e l e b r at i n g 1 0 Y e a r s !Fiducia Group, LLC

Pittsburgh, PA

T a b l e o f C O N T E N T S

1 0 C y b e r s e c u r i t y R i s k A s s e s s m e n t B e s t P r a c t i c e sBy Russell Sommers

FEATURED ARTICLES (CONT.)

2 4 Monitoring and Protecting Against Cybersecurity Fraud in Benefits PlansBy Courtney Schenkel

2 8 P r o t e c t i n g Y o u r S m a l l B u s i n e s s F r o m t h e U n k n o w nBy Dana C. DeLuca

4 4 Cy b e r s e c u r i t y a n d B e n e f i t s P l a n s : T h e N e x t F r o n t i n t h e o n g o i n g b at t l e t o p r o t e c t p e r s o n a l I n f o r m at i o nBy Jenny Holmes

C O N T R I B U T O R S

Charles is a Senior Consultant at Westminster Consulting. With over 20 years of financial experience he assists his clients with the design, implementation, and investment monitoring of their retirement plans. For the last ten years he has focused on investment consulting, fiduciary liability consulting, and plan design consulting.

Charles J. Privitera Jr. , A IF ®, SHRM-SCPW e s t m i n s t e r C o n s u lt i n g , L L C

Russ has more than 12 years of experience in the field of public accounting, risk advisory, information technology and cybersecurity in financial services and other highly regulated industries. He’s led a broad array of projects including cybersecurity consulting, regulatory compliance consulting, internal controls advisory, internal audit, information technology audit & risk assessment, vendor risk management, enterprise risk management, and SOC reporting.

R u s s e l l S o m m e r s , C P A , C I S AB a k e r T i l ly

Courtney Schenkel, CPA, a Director at EFPR Group, LLP, is recognized for her involvement in the firm’s attest department as the employee benefit service line leader and member of the commercial service team. In these roles, she is responsible for the completion and technical review of the firm’s defined benefit, defined contribution, health and welfare, and ESOP plan audit engagements. With over 11 years of experience, Courtney manages the planning and performance of these engagements by identifying and resolving technical issues and ensuring engagement quality. Courtney received her Bachelor of Science degree in Accounting from the State University of New York at Geneseo and earned her license as a Certified Public Accountant (CPA) in New York. She is member of the American Institute of Certified Public Accountants (AICPA).

C o u r t n e y S c h e n k e l , C P A , A I C P AE F P R G r o u p, L L P

Fiducia Group, LLC

Westminster Consulting, LLC

P u b l i s h e r

Charles J. Privitera Jr.

Roland Salmi

S ta f f C o n t r i b u t o r s

Eric Brickman

Dana C. DeLuca

Troy Guerrette

Jenny Lewis Holmes

Joan Neri

Gary Nichols

Courtney Schenkel

Russell Sommers

Lew Tucker

F e at u r e d C o n t r i b u t o r s

Max KesselringE d i t o r - i N - C h i e f

Sheila Livadas

Roland Salmi

E d i t o r i a l S ta f f

For a copy of the magazine, please email info@

fiduciaretirement or call 412-540-2300.

The information contained in this magazine is for general information purposes only. The information is provided by Fiducia Group, LLC (FG) and, while every effort is made to provide information that is both current and correct, FG makes no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the magazine or the information, products, services, or related graphics contained within the magazine for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

In no event will FG be liable for any loss or damage, including, without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this magazine.

Dana DeLuca began her insurance career at Northwestern Mutual. Prior to that, Dana had traveled the country with a career in corporate project management and advertising. Dana began her career at KAFL in 2008. Originally serving as a Case Manager at KAFL, Dana developed a collaborative approach to working with agents and specialized in building strong, supportive partnerships. She then served as an Internal Marketing Representative before moving on to her current Brokerage Manager role. She strives to develop creative marketing solutions and opportunities for agents as they work to cultivate their client relationships and build their book of business. Dana is a graduate of Babson College and a proud mother of a college-bound son. She resides in Webster, NY.

Dana C. DeLuca, A C S , A L M IK a F L I n s u r a n c e R E s o u r c e s

Troy Guerrette is a vice president with Retirement Plan Services. In this role, he develops the regional business plan for Lincoln Financial Group to increase new client sales with the Institutional Retirement Distribution team. Troy joined Lincoln Financial in 1996 and has over 25 years of industry experience. Troy earned a bachelor’s degree from University of Southern Maine. He is FINRA Series 6, 26 and 63 registered, holds life and variable state insurance licenses, is an Accredited Investment Fiduciary (AIF®), a Chartered Financial Consultant (ChFC®), a Qualified Plan Financial Consultant (QPFC) and a Certified Life Underwriter (CLU®). Troy is located in Concord, New Hampshire.

T r o y G u e r r e t t eL i n c o l n F i n a n c i a l G r o u p

Eric Brickman is Executive Vice President of Global Technology and Digital Innovation for Newport Group, a leading independent retirement services firm. Eric oversees all of the company’s global technology functions as well as digital strategy, user experience and product/platform development and integration. He is also responsible for strategic planning in the areas of technology innovation, web-based

E r i c B r i c k m a nN e w p o r t G r o u p

Joan Neri is counsel at the nationally recognized law firm of Drinker Biddle & Reath LLP where she focuses on employee benefits and fiduciary issues. With more than 30 years of experience, Joan works with major publicly-held corporations, private companies, U.S. affiliates of foreign corporations and tax-exempt organizations on matters involving benefits and compensation, with a focus on all

Joan Neri, E S Q .D r i n k e r B i d d l e & R e at h L L P

Jenny Lewis Holmes is an associate in Nixon Peabody’s Corporate group and a member of the Employee Benefits and Executive Compensation team. She counsels clients on the design, drafting, implementation and ongoing operation of retirement plans, health and welfare plans and cafeteria plans. Jenny is also an active member of the firm’s Privacy & Data Protection team, developing

J e n n y L e w i s H O l m e sN i x o n P e a b o d y L L p

F e a t u r e d

Lew Tucker is a Communications Strategist for Charles Schwab’s Cybersecurity Services organization. He oversees organization communications and cyber-awareness campaigns in support of Schwab’s vision. He has led IT communications for Ferguson Enterprises and Department of Defense’s Joint Chief of Staff Institutions. Lew’s career in communications began as a Combat Video Journalist for the U.S. Air Force, where he captured the stories of military combat operations in Iraq and Afghanistan and served the highest levels of Department of Defense and the White House Communications.

L e w T u c k e rC h a r l e s S c h w a b & C o . , I n c .

Gary Nichols is the Managing Director of Security Design & Engineering for Charles Schwab. He oversees information security standards, researching and recommending security technologies, managing cloud security strategy, and establishing security designs and prescriptive architectures for the Firm. Gary has over 20 years of information security and information technology experience within the military, government, hospitality, telecommunications, aerospace, banking, software development and insurance sectors. Prior to joining Charles Schwab, Mr. Nichols was a consultant to Honeywell Global Security, and was the Chief Information Security Officer for Blue Cross Blue Shield of Arizona.

Gary NicholsC h a r l e s S c h w a b & C o . , I n c .

aspects of ERISA compliance and fiduciary governance. Joan represents employers, management and plan fiduciary committees on their fiduciary compliance responsibilities and advises them on the design of qualified retirement plans (including ESOPs), nonqualified executive compensation plans and welfare benefit plans, day-to-day plan administrative issues and transactional planning involving benefit plan acquisitions, plan mergers and plan terminations. Joan also counsels plan service providers (including registered investment advisers, broker-dealers, third party administrators, and recordkeepers) in fulfilling their obligations under ERISA, including fiduciary status and the considerations associated with structuring, developing and offering investment products and services to ERISA plans. Joan is a frequent speaker throughout the country on legislative and regulatory developments impacting services providers to ERISA plans, ERISA fiduciaries and employee benefit plans and has authored numerous articles on these topics.

solutions, digital client service and delivery strategy, digital product strategy and FinTech/InsureTech strategic partnerships. He has more than 25 years of experience leading innovation, technology and strategic planning in the financial services industry, and regularly speaks/presents at conferences on technology innovation and the digital experience within the retirement and executive benefits industries.

and implementing system-wide privacy and security plans and advising on the European Union’s General Data Protection Regulation. She also creates response plans in the aftermath of a data breach and coordinates remediation and response efforts in compliance with state and federal laws. Jenny graduated magna cum laude from Syracuse University College of Law in 2015 and earned her Bachelor of Arts from the University of Virginia in 2012.


Note: The articles included in this publication are general information and are not intended as legal advice, nor should you consider them as such. You should not act upon this information without seeking professional consent.

CyberSecurity


The RolandRoundup.

Roland is an Associate Analyst at Westminster Consulting, where he executes performance analysis, client projects and investment support for senior consultants. He brings research knowledge, industry trends and a commitment to client success to the Westminster team.

Prior to joining Westminster Consulting, Roland worked as a financial advisor at Morgan Stanley Wealth Management and as a staff accountant at St. Bonaventure University. He received an Associate of Science degree in business administration and a Bachelor of Science degree in psychology from Elmira College. He then received his MBA from St. Bonaventure University. Roland has earned his Series 7 and 66 licenses.

R o l a n d S a l m iW e s t m i n s t e r C o n s u lt i n g , L L C

The Roland Roundup is a compilation of court cases that have recently been in the news. Each case focuses on a violation of ERISA guidelines. The outcomes of these cases may have a lasting impact on the fiduciary environment.

April 20, 2018

Nelsen et al. v. Principal Global Investors Trust Company et al.A participant in the Starkey Laboratories, Inc., 401(k) and two participants in the Fleetcor Technologies, Inc., 401(k) filed a lawsuit challenging the management of Principal LifeTime Hybrid Collective Investment Funds (CITs) – target-date funds offered in their plans – on behalf of themselves and other similarly retirement plan participants. “Not only were the Principal index funds more expensive, they were also of significantly lower quality. Compared to marketplace alternatives, Principal’s index funds deviated further from the benchmark index, and consistently had the worst performance even on a pre-fee basis,” the complaint says. (Pending resolution.)

Moore, Rebecca. “Principal Faces Lawsuit Over Management of TDFs.” PLANSPONSOR, Strategic Insight Inc., 20 Apr. 2018, www.plansponsor.com/

principal-faces-lawsuit-management-tdfs/.

May 4, 2018

Reetz et al. v. Lowe’s Companies, Inc. et al.Participants in the Lowe’s 401(k) plan have filed an ERISA complaint against their employer and Aon Hewitt Investment Consultants

over alleged imprudent investment decisions. Hewitt had a conflict of interest in recommending their own proprietary fund for the plan, the compliant alleges. Lowe’s should have recognized that the Hewitt Growth Fund was inappropriate for the plan when it replaced eight funds that were generally performing well. By causing the plan to retain the fund, the defendants breached their fiduciary duties and caused the plan to suffer millions of dollars in investment losses, the complaint further alleges. (Pending resolution.)

Manganaro, John. “ERISA Litigation Targets Lowe’s, Aon Hewitt Investment Consultants.” PLANSPONSOR, Strategic Insight Inc., 4 May 2018, www.plansponsor.com/erisa-litigation-targets-lowes-aon-hewitt-investment-consultants/.

May 18, 2018

D’Amore et al. v. University of Rochester A participant in the University of Rochester Retirement Program has filed a lawsuit alleging that plan participants have paid an estimated $72 million in recordkeeping, distribution, and mortality risk fees to provider TIAA. According to the complaint, TIAA has been able to extract “grossly excessive fees” because its fees are tethered not to any actual services it provides to the plan, but rather, to a percentage of

assets in the plan. The lawsuit claims that the 403(b) plan has more than $4.2 billion in assets and has tremendous bargaining power to demand low-cost, high-quality administrative services. (Pending resolution.)

Moore, Rebecca. “ERISA Excessive Fee Suit Filed Against University of Rochester.” PLANSPONSOR, Strategic Insight Inc., 18 May 2018, www.plansponsor.com/erisa-excessive-fee-suit-filed-university-rochester/.

May 24, 2018

Daugherty et al. v. The University of ChicagoWithout admitting any wrongdoing, the University of Chicago has agreed to pay $6,500,000 to settle a ERISA excessive fee case regarding their 403(b) plans. In addition to monetary payment, the university has agreed to structural changes to its 403(b) plans. The University of Chicago agrees not to increase per-participant recordkeeping fees for three years from the date of final approval of the settlement and to use commercially reasonable best efforts to continue to attempt to reduce recordkeeping fees. Effective April 2, 2018, the university implemented a new investment lineup for its 403(b) plans that reduced the total number of investment options and eliminated the CREF Stock Account as an investment option available to plan participants. However, the TIAA Real Estate Account will continue to be available as an investment option. (Resolved.)

Moore, Rebecca. “University of Chicago Settles 403(b) Plans Excessive Fee Suit.” PLANSPONSOR, Strategic Insight Inc., 24 May 2018, www.plansponsor.com/

university-chicago-settles-403b-plans-excessive-fee-suit/.

May 29, 2018

Divane et al. v. Northwestern University et al.Northwestern University prevails in ERISA 403(b) challenge. The court strongly rejected arguments that fiduciaries of the Northwestern University 403(b) retirement program failed to act with the loyalty and diligence required by ERISA. Further along in the decision, the court questions the common notion asserted in 403(b) plan lawsuits that employers such as Northwestern are overpaying for recordkeeping. The decision, siding with the defendants’ motion to dismiss, notes that 403(b) plans are complex beings and quite a lot different in some cases than a 401(k) plan, making having multiple recordkeepers potentially advantageous and potentially making it harder for a 403(b) plan to successfully renegotiate pricing in the way a large and growing 401(k) plan can do. (Resolved.)

Manganaro, John. “Northwestern University Prevails in ERISA 403(b) Challenge.” PLANSPONSOR, Strategic Insight Inc., 29 May 2018, www.plansponsor.com/

northwestern-university-prevails-erisa-403b-challenge/

May 29, 2018

Schweitzer et al. v. The Investment Committee of the Philips 66 Savings Plan et al.A court dismissed a lawsuit against the Phillips 66 Savings Plan investment committee for continuing to offer company stock of the company’s former parent, ConocoPhillips, in the plan’s investment menu. The court found plaintiffs failed to state a claim for relief based on ERISA’s duty to diversify and failed to state a claim for failure to engage in an adequate process for evaluating the prudence of continuing to hold the ConocoPhillips Funds. (Resolved.)

Moore, Rebecca. “Court Tosses Suit Over Including Former Parent Stock in Phillips 66 Plan.” PLANSPONSOR, Strategic Insight Inc., 29 May 2018, www.plansponsor.com/court-tosses-suit-including-former-parent-stock-phillips-66-plan/.

June 4, 2018

Cervantes et al. v. Invesco Holding Company, Inc., et al.Invesco is the latest retirement plan services provider to become a target of a self-dealing lawsuit under ERISA. Invesco is accused of breaching its duties by offering imprudent affiliated ETFs to participants and for offering worse-performing retail shares instead of better-performing institutional shares. Invesco is also accused of failing to use its leverage as one of the larger employer-sponsored retirement programs in the U.S. to negotiate for reduced costs for the benefit of plan participants. (Pending resolution.)

Manganaro, John. “Invesco Accused of Self-Dealing in 401(k).” PLANSPONSOR, Strategic Insight Inc., 4 June 2018, www.plansponsor.com/invesco-accused-self-dealing-401k/.

June 25, 2018

Roycroft et al. v. MetLife Inc., et al.A representative whose benefit liability was transferred to MetLife in a pension risk transfer (PRT) deal has filed an expansive lawsuit, challenging the company’s practices across its PRT and group annuity contract services business. The complaint points to various ways that MetLife has allegedly “admitted” that it has failed to keep track of beneficiaries, failed to contact them, and/or failed to pay them their benefits when due. According to the complaint, the company has “acknowledged that it owes as many as 30,000 beneficiaries more than $500 million in annuity benefits.” (Pending resolution.)

Manganaro, John. “MetLife Accused of Failing to Pay Retirees Covered by Pension Risk Transfers.” PLANSPONSOR, Strategic Insight Inc., 25 June 2018, www.plansponsor.com/metlife-accused-failing-pay-retirees-covered-pension-risk-transfer/.

8 | Spring 2017 Confero | 9


A R T I C L E T I T L E AUTHOR NAME

CyberSecurity R isk Assessment

best Practices

By Russel l Sommers

Large data breaches have become fairly common, and cybersecurity is at or near the top of most companies’ risk registers. New ransomware and malware variations continue to emerge, and phishing schemes are becoming infinitely more sophisticated. Regulators both domestically and internationally have responded with cybersecurity and data privacy regulations to prescribe “good behavior.”

While complying with regulators is a minimum standard and seen as a cost of doing business, the question companies are asking is “How do I know if we’re doing enough?” The truth is that regardless of how robust a cybersecurity program is, the risk

remains, as the bad actor only has to be right once. While you can’t do anything to stifle the pipeline of bad actors, there are many steps a company can take to limit its exposure.

The two prime tenets of effective cybersecurity are risk assessment and governance. Risk assessment enables an organization to define its environment, evaluate the risks specific to its business and deploy limited resources efficiently. Governance speaks to the ability to establish a framework for effectively addressing these risks in a systemic way and meet the fiduciary obligations inherent with being entrusted with sensitive data, such as consumer nonpublic information.

Confero | 1110 | Spring 2018


C y b e r S e c u r i t y R i s k A s s e s s m e n t B e s t P r a c t i c e s RUSSELL SOMMERS

2. Assess Inherent RiskFor each identified risk scenario, using the likelihood criteria defined, assess the inherent likelihood of each risk occurring without the impact of any internal controls or business processes. For each identified risk scenario, using the risk factors defined, assess the impact each event would have, were it to occur. Compile a risk score based on the cumulative likelihood and impact for each risk (See Graphic 2.).

3. Evaluate the Impact of ControlsFor each identified risk scenario, identify all the business processes, internal controls, applications and monitoring provisions that would:• Prevent or limit that risk scenario from occurring;

or • Reduce or transfer some or all of the risk, if that

risk scenario were to occur.

Note: Take credit for the work you do, but be sure not overvalue the impact of what you are doing.

4. Assess Residual Risk• For each identified risk scenario, using the

inherent likelihood derived, assess the impact of controls that prevent or limit that risk scenario from occurring, the result being a residual risk likelihood.

• For each identified risk scenario, using the inherent impact derived, assess the impact of controls that either limit or transfer some or all of the risk, if that risk were to occur, the result being a residual risk impact.

• Compile a residual risk score based on the cumulative residual likelihood and impact for each risk (See Graphic 2).

RISk ASSESSmENTThe foundational component of an effective cybersecurity program is an entity’s risk assessment. This is the company’s opportunity to develop a program that is scalable, sustainable and customized to its specific circumstances. The cybersecurity risk assessment process should be an ongoing process (See Graphic 1.), and include the following phases:

1. Define Threat ScenarioUse an established risk assessment framework along with a documented policy and procedure to direct the process:

• Select risk factors and metrics that are impactful to your organization and provide a comprehensive view of cybersecurity risk to the enterprise.

• Define the IT environment, specifically using an asset-based approach focusing on non-public information (NPI) and system operations supporting the normal course of business.

• Involve all organizational stakeholders (IT, business process, risk/legal and executive), reinforcing that risk assessment and cybersecurity are not solely IT or risk-management responsibilities.

• Intake and evaluate information from relevant internal and external sources.

ACTION STEpS TO ImpROvEOnce the residual risk has been derived for each risk scenario, the company must analyze and interpret the results of the risk assessment. Specific questions to be asked are:

• Did we overvalue the impact of internal controls (i.e., Are we taking too much credit for controls)?

• Are the results skewed, meaning:• Are there too many high-risk scenarios?

This indicates that there are many significant risks remaining. This may result in material risks not getting adequate attention, as resources must be allocated across a larger population of significant risks.

• Are there too many low-risk scenarios? This indicates that all significant risks are covered and the residual risk is nominal.

This may result in material risks not getting adequate attention or resources, as perceived low risks may not receive budget priority or management sponsorship.

Once the analysis is complete and any adjustments made, action plans must be drafted to address each critical and significant risk.

• These action plans should include specific actions to be completed; action owner, anticipated completion date and required resources (direct cost and employee effort in hours).

• The action plans should be aligned with the broader IT strategic plan to ensure alignment of resources and effort to maximize efficiency.

Graphic 1

Graphic 2


C y b e r S e c u r i t y R i s k A s s e s s m e n t B e s t P r a c t i c e s RUSSELL SOMMERS

ADDITIONAL CONCEpTS TO CONSIDERFollowing the phased approach outlined above will result in a comprehensive risk assessment, but there are additional concepts which must be considered. They are as follows:

• Risk is subjective, this exacerbates the need for input of multiple stakeholders and equally as important as the diversity of thought different stakeholders bring to the process. Stakeholder involvement is crucial in all phases of the risk assessment, the selection of risk factors to be used, the metrics by which the risk factors will be evaluated, the inherent/residual risk ratings, and the action plan stemming from the assessment.

• Developing metrics for risk analysis is difficult, risks may or may not distribute normally across a bell curve; however, they may skew in distribution either to the left or right and may, indicate that on the whole, risks are either overstated or understated. While risk analysis can be supported with metrics and graphs, there is still a component of risk assessment that is based on “feel,” meaning a certain risk feels like it should be high or critical, regardless of controls. This is where experience in conducting information-security risk assessment and knowledge of the current events and trends are crucial.

• Due to the level of subjectivity in risk, there is value in conducting an independent quality review of the risk assessment. An objective reviewer can challenge the risk ratings and impact of internal controls, and can help identify potential blind spots, missing risks, unsupported risk ratings and internal controls for which the impact is either overvalued or undervalued.

Wrapping UpEffective cybersecurity is an organizational effort. Done well, cybersecurity involves the:

• Information technology group that builds, deploys and manages the enterprise systems

• Information security team that protects the systems and monitors activity

• Business units that own the customer relationships, the underlying systems and data

• Executive management and the board that have the fiduciary duty to protect sensitive information

• Legal and compliance group that is responsible with ensuring compliance with all applicable laws and regulations

• Risk-management team that understands the risk assessment process and has access to the tools and templates to be deployed

Involving the stakeholders above throughout the risk assessment process will ensure all significant risks are identified, adequate information is used, relevant internal controls are identified and the resulting plan is realistic. Once the cybersecurity risk assessment is completed, the cybersecurity program should be updated to address the key risks and the IT/cybersecurity calendar should be updated to integrate the planned action steps. The results from the risk assessment and the updated strategic plan should be presented to executive management and the board to ensure executive sponsorship and appropriate engagement in maintaining their fiduciary duty of protecting customer and employee nonpublic information.

Effective cybersecurity management requires organizational alignment, a systemic approach and the efficient deployment of highly skilled resources. A cybersecurity risk assessment is the foundation for that effective cybersecurity program.

“Effective cybersecurity is

an organizational effort.”


2 Be smart about social media.

Social media can be fun, but it pays to be careful about what you share and who can see it. These sites may not be the best places

to share personal, secure information.

Make sure you understand the security and privacy settings and how to use them. While the safest thing is to make your posts private—so that only those you approve can see them—many people using platforms like Twitter and Instagram make their posts public so anyone can follow and interact with them.

If your posts are public, make sure you wouldn’t mind a criminal seeing anything you share. Because they’re looking! If your address is listed on Facebook and anyone can see your posts (the “public” setting), then posting vacation photos or tagging yourself in a faraway location tells potential burglars that no one is home.

Do you use your pet’s name or your kids’ names for passwords? If your social media posts are public and you mention their names, anyone can see what they are and may more easily access your accounts. That goes for other personal information, too—like a maiden name, your birthday, or your anniversary. Think before posting that information where anyone can see it.

Some cybercriminals use your public social media posts to craft phishing emails specific to your interests, making it more likely you’ll click on their links. So it’s more important than ever to be vigilant; don’t click on suspicious links or attachments in emails.

Have fun with social media! Just be sensible about the amount and types of information you’re sharing with the world.

1maintain awareness.

While you don’t have to be paralyzed by fear, a healthy dose of skepticism can go a long way. Don’t click on suspicious attachments or links

in emails—either personal or workplace emails. Even if you know the sender, opening the email can infect your account if the sender’s email has been hacked. Contact the person directly to be sure. A sender who has been hacked will be glad to know so he or she can do something about it!

Any email from a financial institution that asks you for personal information or passwords should be a big red flag. Don’t click on embedded links or attachments, either. They may be attempts at phishing—trying to gain your secure data via a communication disguised as an email from a reputable company. Sometimes you can spot phishing attempts through spelling or grammar mistakes. But sometimes they look genuine. They may claim something is wrong to get you to act before thinking it through. To see what’s really going on, contact your financial institution directly.

Educating yourself about cybercrime can help, too. Criminals prey on the uninformed. It’s good to be aware of the latest method of attack—whether it’s an email from a foreign prince asking for money or a message that looks like it’s from your bank asking for your account number. Staying up to date can help you know what to look for.

Cybercriminals rely on human error, so exercising a little caution is a great way to protect yourself and your personal information. Remember, awareness is the best defense!

Technology touches every part of our lives. Unfor-tunately, criminals have taken notice, and they try to use that to their advantage. But smart behavior can help keep you safe.

4 Cybersecurity TipsBy Troy Guerrette


TROY GUERRETTE4 C Y b e r S e c u r i t y T i p s

3Secure your mobile devices.

Mobile devices such as smartphones and tablets may contain information you want to keep secure. Depending on how you

use them, they may hold your email, financial data, passwords, personal information about family and friends, and more. Yet it’s all too common for people not to use the available security features.

Enable a password or personal identification number (PIN). This is the first line of defense if you lose your mobile device or if it’s stolen. If you have fingerprint identification or facial recognition, use that, too.

Some devices have a five- or ten-try lockdown. If someone enters the wrong password a designated number of times, all the information on the device is deleted. If your device has remote tracking capability, such as Find my iPhone, use it! You also may want to enable the feature that allows you to remotely wipe the data from your mobile device, if it’s available.

It’s a good idea to regularly update the operating system and the apps. Cybercriminals are increasingly targeting mobile devices, but vendors continually update their applications and software to patch vulnerabilities. Keeping everything up to date ensures that you have the latest protection. Cybercriminals use apps, too. Only download apps from trusted sources, such as the App Store or Google Play. Unfortunately, apps from some third party app stores may include malware that steals your data after the apps are downloaded. Mobile devices can make our lives easier, but it’s good to be cautious with the sensitive information they contain. Make sure you know your device’s security features and how to use them!

4monitor your accounts.

If you haven’t signed up for online accounts for your financial institutions, you may want to consider it. Online

account access and auto-alerts can help you react quickly to suspicious activity. They may even help protect you from a common method of cybercrime. If you register for an online account with a financial institution, a criminal who steals your information can’t register and gain control of your account. In the past, you may have found out about unauthorized credit card or debit card purchases if the financial company called you, your card was declined at the store, or you noticed unusual purchases on your monthly statement. With online accounts, you can find out much more quickly.

Regularly check your accounts for unauthorized transactions, and immediately contact your financial institution if there’s a transaction you don’t recognize. Many companies have apps for your smartphone or tablet so you can check on the go—and some even let you dispute transactions through the app.

Some accounts allow you to set up automatic alerts for unusual activity. You can get a text or an email if a transaction exceeds a predetermined amount or if your card is used outside your normal geographic range.

It’s not just your credit card or debit card you should monitor. Keep track of your bank account, brokerage account, retirement plan, and others. Unfortunately, cybercriminals often hack into large databases and steal secure information, like credit card numbers. Knowing what’s going on with your financial accounts gives you the power to respond immediately if your account is compromised.

Take online security seriously.

Following these four simple tips can help boost your online security. Just remember to maintain awareness, be smart about social media, secure your mobile devices, and monitor your accounts.



Best Practices in Cybersecurity: Securing Your Digital wallsBy Gary Nichols & Lew Tucker


GARY NICHOLS & LEW TUCKERB e s t P r a c t i c e s i n C y b e r s e c u r i t y : S e c u r i n g Y o u r D i g i ta l W a l l s

If you use your company web site, email or mobile phones, you are your company’s first line of defense against state-funded cyber armies,

criminals and common hackers. Cybersecurity teams across all industries are actively engaged in a global cyber war against these bad actors, who aim to compromise your and your company’s data and information. Fortunately, there are three basic cybersecurity best practices to help you defend your company’s virtual walls like a veteran.

1. Account for the human factor: Avoid scams and practice good password hygiene

“As the world goes digital, humans have moved ahead of machines as the top target for cyber criminals,” wrote Steve Morgan of CISOonline.com. Your cybersecurity teams are hyper-focused on building your company’s virtual wall against current and emerging cyber risks, vulnerabilities and threats. Criminals know this and look to exploit a softer target in your “wall” – you. Their tactics generally come in forms of password theft and Phishing scams.

practice password Hygiene

According to the 2017 Verizon Data Breach Investigations Report, “81% of hacking-related breaches* leveraged either stolen and/or weak

passwords.” Password hygiene, routine password updates and upgrades, is your contribution to strengthening your company’s virtual wall. A simple three-step exercise can help you build a powerful password.

1. Think of something unique to you. “I like sailing and spreadsheets.”

2. Build a creative phrase you can remember. “One fine sailor loves numbers”

3. Strengthen your phrase with numbers, capitals and symbols. “1fine$ailorL0ves#s”

If you are one of the “39% [of online adults who] say that they use the same (or very similar) passwords for many of their online accounts,” according to a 2016 Pew Research Center report, use a “password vault.” Many companies invest in password vault services, where employees can safely store their collection of usernames and passwords in a single application. Password vaults are convenient and discourage forgotten, or written down passwords. Avoid phishing links and attachments

Phishing is a nefarious email, masquerading as legitimate, intended to trick you into clicking on a hyperlink or opening an attachment. If you open one of these links or attachments, you

“To avoid Phishing scams, scrutinize your emails, especially those with links or attachments.”

may inadvertently welcome computer viruses or ransomware into your company. Ransomware, as the name suggests, locks down your data or device until your company pays the criminal. To avoid Phishing scams, scrutinize your emails, especially those with links or attachments.

2. Ask your Third party

Your cybersecurity strategy may be sound, but if you use third party vendors as part of your business strategy, ensure they meet your standards for protecting: themselves, the services they provide and the data they store. Here is a list of questions to consider:• Authentication – Authentication is verifying you

are who you say you are. Ask your third party

• how they authenticate users to their services, • if they have a password policy, and • if they implement other verification measures

such as multi-factor authentication, security questions or other measures.

• monitoring & Response – Monitoring is all about visibility. Ask your third party • how they monitor access to and activity

within their systems, and • how they respond to unauthorized access or

unusual behavior.• Access – Access is managing who (or what) may

enter and use a system. Ask the third party

• how they limit access to sensitive information with

• layered privileges to only those documents and

• systems their employees require to perform their daily duties.

• Data protection – Data is the currency of digital business. Ask the third party

• to identify where your data is physically located, • who has access to it, and

• what steps they take to protect your data within their systems

• privacy & Trust –Trust, but verify. Ask your third party

• how they intend to use your employees’ and clients’ data and information.

• to agree to and comply with Terms and Conditions established in your non-disclosure agreements

3. Lastly, Create a Culture of Awareness

Cybersecurity best practices should be a part of your workplace culture. Specifically, you and your employees should understand their role in protecting your company’s digital assets and clients. Reinforce the importance of maintaining information security and crowd source potential security issues and solutions through periodic security awareness and training, including computer based training, emails, posters, workshops and meetings.

Cyber security is not a one-time event, but a continuous process. You want to routinely review your and your third party partners’ risks. If you continuously improve your employees’ cyber-awareness, they will be better prepared to proactively avoid potential threats and vulnerabilities to your business.

Sources: • https://www.verizonenterprise.com/resources/reports/2017_

dbir_en_xg.pdf• http://www.pewresearch.org/fact-tank/2017/01/26/many-

password-challenged-internet-users-dont-take-steps-that-could-protect-their-data/

• https://www.csoonline.com/article/3153707/security/top-5-cybersecurity-facts-figures-and-statistics.html

*Breach - An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party. (¹)DDoS – Distributed Denial of Service. A cyber-attack method intended to overwhelm a system – and in effect disabling or disrupting its services – by flooding it with various digital ‘stuff.’Phishing – A digital fraud attempt to coerce individuals to provide information or gain access to a system. Malware – A digital virus, which causes conducts unapproved operations to systems or information.Hackers – Individuals who use technology to access and/or disrupt and application or system. The information contained herein is for informational purposes only and not intended to be specific to your situation, nor be absolute protection against cyber-criminal activity. Please consult with an expert for how this applies to your specific situation.

0718-84J3


Monitoring and Protecting against Cybersecurity Fraud in Benefits PlansBy Courtney Schenkel


M o n i t o r i n g a n d p r o t e c t i n g a g a i n s t c y b e r s e c u r i t y f r a u d i n b e n e f i t s p l a n s COURTNEY SCHENKEL

2. Have a documented incident response plan for threats. The plan should include how to address breaches when they incur and how to communicate the breach to those affected. It is crucial that the plan includes a course of action for handling actual breaches, as well as, potential ones that were thwarted.

3. Provide training for participants. Making employees aware of potential threats and how to combat them are a key component of cybersecurity. Participants should be reminded not to give out passwords over email, and to be mindful of the risk of clicking links from unknown sources. They should also be cautioned to reconsider who is requesting personal identifying information. Encourage employees to consider why someone may be asking for confidential information.

4. Review your technology environment. Since technology and digital security are always evolving, one should consider bringing in outside expertise to fully evaluate the technology environment and what risks may be present.

Regardless of size, all entities face some level of risk. Some of the most common threats are:

1. Rogue insider. Unfortunately, not all who have access to secure information use their access responsibly. They may sell or fraudulently use the personal data they have access to. Employee benefit plans are a common target of identity thieves.

2. Social Engineering. Social engineering is using human psychology against people to trick them into giving up confidential information. Cybercriminals exploit employees’ natural tendencies to trust others. That is why they will often use an email address that is identical to someone in management or from an outside firm that they work with. They will ask for the password to a secure site or something similar. This method is quite common because it does not require advanced computer skills, only a general knowledge of company structure and human psychology.

3. Ransomware. Unlike the other methods of cyber invasion, this tactic is usually spotted quickly because a criminal will encrypt a hard drive and only release it upon payment. It is becoming more frequent because payment is usually immediate after the attack.

Strong internal controls and IT security are only the beginning steps to protecting benefit plan information. Here are some recommendations for protecting such vital data:

1. Begin behavioral monitoring of accounts. Behavioral monitoring entails noticing when a user is logging in at an odd time and/or moving odd amounts. It can be the first sign of an intrusion or that someone is a rogue insider.

Don’t lie – have you ever “Googled” yourself? You know, typed your name into the Google search engine just to see what information is out there about

you? If you have, you know how easy it is for a complete stranger to access some very personal information with limited knowledge. We’ve all heard stories of someone’s grandmother, neighbor, or friend falling for a cyber scam. Some common ones include clicking on a malicious link, accidentally downloading viruses, or sending out confidential financial information to a hacker masquerading as the IRS or Microsoft. Living in a fast paced and digital world it is all too easy to fall prey to such tactics. Did you know that companies can be vulnerable to the same kind of threats?

We trust our employers to take as much care protecting our personal information as we would; but what about all the other advisors and providers involved in day-to-day support activities for outsourced services? For example, payroll, health insurance, and retirement benefits are frequently subcontracted through third parties. With cybersecurity attacks on the rise it is imperative to review all aspects of an organization, including those that are outsourced.

According to a US Department of Labor report, there are over $9.3 trillion in retirement assets. Benefit plans are a particular target of cyberattacks as they allow direct access to monetary funds and valuable personal information to hackers. Cybercriminals have found accessing benefit databases allow for consolidated access to Social Security numbers, bank information, healthcare files and employment history. Since employee benefit plans are frequently outsourced, there are many potential weak spots that are vulnerable to attack. A sponsor should be fully aware of weak links and how it affects their employees’ retirement savings. Especially since online attacks come with a large price tag, both monetarily and otherwise. Beyond funds being directly stolen by hackers, companies also face the risk of fines from governing agencies and loss of public trust.

5. Maintain up-to-date insurance policies. As another safeguard, a plan sponsor could investigate purchasing an insurance plan to protect against hackers and stolen information.

As Lady Gaga said, “trust is like a mirror, you can fix it if it’s broken, but you can still see the crack”. The ramifications of a breach are long-lasting and can be costly. While remediable, those affected lose confidence in their trusted advisor’s ability to guard valuable personal data. Due to employee benefit plans becoming a common target of hackers, the AICPA and other regulatory agencies continue to develop frameworks to guide organizations and CPAs regarding digital security threats. This guidance, combined with an organization’s due diligence and risk management efforts, will serve as a critical step in the prevention of a major breach.



P r o t e c t i n g yo u r S m a l l b u s i n e s s f r o m t h e u n k n o w n

By Dana C. DeLuca

Common sense would lead you to believe that cybercriminals are primarily targeting large corporations. The reality is they want easy access and valuable data. It is the information that makes the target attractive, not the size. Large companies

have the resources to fight cyberattacks, but hackers understand that valuable private information is oftentimes more easily accessible through small and mid-sized businesses that do not always have the resources or knowledge to protect their data.

In the financial industry especially, we have access to and are provided with sensitive information daily, in connection with the normal business and operations of our companies. Thus, the financial services industry is a favored target for cybercriminals.

Cybersecuri ty : The Invis ib le Thief


DANA C. DELUCAP r o t e c t i n g Y o u r s m a l l b u s i n e s s f r o m t h e u n k n o w n

So much has changed in recent years with how employees of smaller businesses handle clients’ secure files and information. There was a time when confidential documents were left on desks overnight, file cabinets were rarely locked, and phone messages containing nonpublic information were left with no security measures in place. We never gave a second thought to the jeopardy we were putting our clients in for identity theft or devastating financial harm, not to mention the breach of goodwill and the business relationship.

The internet and email have dramatically changed the way business is conducted today. Now that electronic data transfer is overwhelmingly the preferred method of communicating information, cybercriminals have developed more and more sophisticated methods of gaining access for illicit purposes. Recently, we have all been introduced to countless – and sometimes mandated – security innovations, and have learned the hard way why prevention is key.

CAUSEWhile the most frequent root cause of data breaches is malicious in nature (hacking, malware), human error still accounts for many of the data breaches encountered in small businesses today. This can be the result of carelessness around someone’s work area or during document disposal, as well and sensitive materials left or transported in one’s vehicle, on laptops and on mobile devices.

The most common way, however, to obtain information in a nefarious manner is through password breaches, simply because passwords are weak, set as a default, are easily guessed or missing altogether. A surprisingly large number of people leave lists of passwords in conspicuous places. Even when passwords are changed habitually, usually just one character is changed or added to the current password, increasing the probability of cracking it. Additionally, answers to many security questions can be found on social media sites, negating a second tier of protection.

Cyber events and data breaches continue to rise, often via social engineering; more people have opened phishing messages so far this year than last, and the number of infected attachments has also increased year over year. Spam accounts for the majority of all inbound emails.

There also continue to be new threats that challenge old solutions and technology. Many smaller businesses don’t have the resources – or a department – dedicated to upgrading and updating software and hardware consistently, so that increases risk of a cyberattack. pREvENTIONThe risk to regulated entities is great due to the potential of significant financial losses to consumers of these services. The majority of small businesses are most concerned with protecting customer records and their own intellectual property. There is much that can be done to protect customers’ personal information from illegal access. In addition to federal initiatives set forth (the Financial Services Modernization Act, the Identity Theft Prevention Act of 2000, and the Consumer Financial Protection Bureau, to name the major ones), there are state- and industry-specific requirements also introduced. According to the New York State Department of Financial Services, certain minimum requirements need to be in place, and adoption of these regulations – effective March 2017 – is a priority for our state. This applies to all agents and agencies that hold a license in New York, and, by March 2019, all must be in compliance with all provisions that apply to them.

A few notable prevention tools are simple for small businesses to adapt, and will go a long way toward mitigating cyber risks.

• Invest in prevention tools – Make it a practice to allocate time, resources and budget to risk mitigation, and to evaluate and solidify your company’s entire security chain. Start with a risk/vulnerability assessment. Install security software. Set up encryption methods. Choose an archiving and supervision provider that can retrieve and store data. Employ penetration testing (hired assessors that try to defeat or bypass security features). Any monies dedicated to these prevention tools will pay off in the long run by saving your company money that might have been spent to recover from an attack.

• Multifactor authentication – When accessing websites, emails or internal documents, employ two-part authentication. In addition to the username and password, require a second factor.

“ “


P r o t e c t i n g Y o u r s m a l l b u s i n e s s f r o m t h e U n k n o w n DANA C. DELUCA

This can be knowledge factors, like a security question, possession factors, like a token or text message, or inherence factors, like fingerprints or facial recognition.

• Secure email exchange – Secure email, encrypted so only the sender and receiver can read it, should become standard practice in a small business environment, especially within the financial industry, given the nature of the critical information exchanged. Thankfully, email security has become simpler and more web-based, and there is no shortage of companies that offer

help ensure everyone understands the steps that need to happen, and each person’s role. While each incident will be unique, laying out general rules and running exercises can quicken reaction times when a real incident occurs. Evaluate this regularly so that it becomes a more optimized and streamlined plan. If possible, keep a 6-year audit of those who had access to protected information. This can help identify patterns, and aid in more fine-tuned prevention efforts. For an extra layer of protection, there are more and more carriers offering cybersecurity insurance policies now.

“Most of all, educate your employees on expected best

practices and enforce your policies!”

solutions to this end, in a range of prices, from free to a set fee per user. Beware that sometimes the less the solution costs, the more basic it is.

• Compliant texting – This starts with an enforced company-wide protocol. Over the past several years, texting among millennials, who represent a rising proportion of the financial services workforce, has become the preferred method of communication, surpassing phone calls as the dominant form. With the right third-party solution, compliance officers can easily capture and archive, as well as supervise, all business text communications, no matter which devices, operating systems, or carriers are used. This will not only monitor appropriate application and website usage (Remember, there can be nefarious insiders, too.), but it will also help prevent possible regulatory fines against retention and supervision of company-issued phones.

• Incident response plan – While this is not a prevention tool exactly, it is important to develop an incident response plan to help you detect an attack and have procedures in place to minimize or contain the damage. A written plan and defined procedures

Regularly update your software solutions. Monitor your business credit reports. Encrypt your databases. Make these simple practices habitual.

Most of all, educate your employees on expected best practices and enforce your policies!

For further information, the New York state website for cybersecurity is at https://dfs.ny.gov/about/cybersecurity.htm.

Other sites that can offer clarification and useful materials are

w w w . i n s u r a n c e j o u r n a l . c o m / n e w s /national/2018/02/15/480708.htm or www.naic.org/cipr_topics/topic_cyber_risk.htm.

*Resources referenced for this article include CyberSecurity Presentation provided by ESET, https://dfs.ny.gov/about/cybersecurity.htm, PaperClip Compliant Email Service Whitepaper Rev 8/12/14.



CyberSecurityA

Plan Sponsor’sF i d u c i a r y R o l e

By Joan Neri, Esq.


C Y B E R S E C U R I T Y : A P L A N S P O N S O r ’ S F I D U C I A R Y R o L E JOAN NERI, ESQ.

There is a lot at stake when a retirement plan suffers a cyberattack, especially given the amount of personal participant data and plan asset information that can be compromised.

Plan sponsors of retirement plans subject to the Employee Retirement Income Security Act (ERISA) may be aware of this risk; however, they may not be aware of their fiduciary duties as to cybersecurity.

Under ERISA, plan sponsors must act prudently and solely in the interest of plan participants and their beneficiaries for the exclusive purpose of providing them with plan benefits. If a cyber attack occurs, and plan assets are diverted and misused, then the plan sponsor could be liable for a fiduciary breach on grounds that the plan sponsor failed to satisfy this duty of loyalty and prudence. And the consequences of a fiduciary breach can be quite severe. The plan sponsor could be required to make the plan whole for losses, send breach notifications, provide identity-theft protection service to those affected, and more.

What can a plan sponsor do to avoid a fiduciary breach under ERISA? Here are a few important responsibilities that the plan sponsor should undertake.

Compliance with the Plan Documents

The plan sponsor has a fiduciary duty to follow the documents and instruments governing the plan. While most retirement plans do not contains specific language regarding cybersecurity, there may be policy documents adopted under the plan that address cyber risk-management and that are considered documents governing the plan. The plan sponsor should familiarize itself with such policies and evaluate plan operations to ensure they are carried out in accordance with their terms.

Protection of Electronically Transmitted Participant Information

The Department of Labor (DOL) has issued specific rules regarding the electronic transmission of personal participant information. The rules require that plan fiduciaries take –

“appropriate and necessary measures reasonably calculated to ensure that the system for furnishing documents…protects the confidentiality of personal information relating to the individual’s accounts and benefits (e.g., incorporating into the system measures designed to preclude unauthorized receipt of or access to such information by individuals other than the individual for whom the information is intended).” DOL Reg. Section 2520.104b-1(c)(1)(i). [emphasis added]

To comply with this rule, the plan sponsor should examine its internal technological system that stores and transfers data relating to plan participants and ensure that it is “reasonably calculated” to protect the transmitted information. Also, internal personnel that perform duties related to this system should be educated on their responsibilities to protect the transmitted data. The “system,” however, may involve not only the plan sponsor’s internal technological system but also that of a third party vendor, such as a recordkeeper to a 401(k) plan. In that case, as discussed further below, the plan sponsor will also need to evaluate and monitor the vendor’s operations to ensure that this rule is satisfied.

Prudent Selection and Monitoring of Third-Party Service Providers

The plan sponsor has a fiduciary duty under ERISA to prudently select and monitor service providers. When it comes to cybersecurity, the plan sponsor should not rely blindly on the integrity of the service provider’s operations. The plan sponsor’s

“If a cyberattack occurs, and plan assets are diverted and misused, then the plan sponsor could be liable for a fiduciary breach.”

fiduciary duty includes a duty to ensure that the service provider has a comprehensive cybersecurity policy in place to protect plan and participant information. The plan sponsor should review the policy for completeness and should also consider how it impacts the plan sponsor’s internal electronic communication processes. Once the service provider is hired, the plan sponsor has a continuing duty to monitor the service provider’s performance, which should include evaluating whether the service provider is complying with its policy.

Contractual Protections

In addition to reviewing the service provider’s cybersecurity policy and monitoring the service provider’s performance, the plan sponsor should ensure that the service provider agreement includes appropriate contractual protections. There are a number of provisions that should be included, including the following: • Representation by the service provider that it

maintains a cybersecurity policy and agrees to follow it;

• Description of the limitations and restrictions on the service provider’s use of and access to plan and participant data;

• Description of the way in which the service provider will respond to cybersecurity breaches – e.g., notification to plan sponsor, duty to remediate, etc.

• Allocation of liability for cybersecurity breaches and related costs.

There are additional contractual protections that may be needed as well. In describing the allocation of liability for cybersecurity breaches, the main goal should be to allocate as much liability as possible to the service provider that develops and operates the technological systems necessary to carry out plan services. It is advisable to seek the assistance of legal counsel in negotiating the needed contractual protections.

Conclusion

Plan sponsors should be mindful of their fiduciary duties when addressing cybersecurity issues. The plan sponsor can avoid a potential fiduciary breach and protect participant interests by putting appropriate internal cybersecurity safeguards in place and prudently selecting, monitoring and contracting with third-party service providers.


CyberSecurity TrainingThe Importance of Educating your employees on protecting their assets.

Those of us who work with company-sponsored defined contribution retirement plans have become familiar with the word “friction.” It refers to little things that get in the way

of participants contributing to or increasing their contribution to the retirement plan. Things such as logging on to a website or remembering a PIN or password qualify as friction. Of course, the best way to reduce friction is to take advantage of the many technological advances in the way we access our accounts. Most of the advances are welcome as they do have the ability to help reduce friction and improve participation and engagement in the retirement plan. “Alexa, how does my balance compare to other people my age? Alexa, how does my contribution compare to other people my age? Alexa, increase my contribution by 2%.”

Certainly with these many advances there is an increased threat to the security of plan assets. While many are thrilled about the idea of improving outcomes, we as fiduciaries must be more and more vigilant when it comes to keeping the assets of the plan secure. A transaction that once required paper, a signature, and review by one or more individuals, can now be performed by speaking into a device in your home.

Some plan sponsors I have spoken to have an immediate reaction that may sound something like, “Well, I’ll just turn that feature off.” Some are not fully accepting that the risk is legitimate. All agree though that while there is a high degree of confidence in the cybersecurity of their own organization and their recordkeeper (real or perceived), none are comfortable with the ability of their individual employees to safeguard their information from cybercriminals.

Whether or not the loss of a participant account balance is a fiduciary loss will depend on the facts of the case. So let’s follow this train of thought for a moment. Employee Joe Smith has his identity compromised in some other part of his cyber life (Twitter, LinkedIn, Target, Gmail, or Facebook). He happens to use the same username and password combination that was stolen for his 401(k) plan with Fidelity. The thief will use computer programs called “bots” to run this password combination through the largest financial institutions first (Chase, Bank of America, Fidelity, Vanguard), and, voila, a hit on the Fidelity site. From there the thief liquidates (distributes) Joe’s $320,000 retirement plan balance. Who is going to make Joe whole? Is this a fiduciary loss? If not, so what? Are you going to tell the participant, “Sorry, you’re out $320,000.”? Other articles will

touch upon the importance of indemnifications between the fiduciaries and the company, the company and the recordkeeper, etc. The insurance folks will touch on the importance of coordination of coverage – Is it fiduciary liability or cyber liability insurance? What are the terms, exclusions? I’d like to focus on the loss-control aspect going forward.

Everywhere we work, companies accept a certain amount of risk, offload the risk to a third party – or some combination of both. Whatever the risk strategy, most organizations do whatever they can to mitigate the risks. This is commonly referred to as “loss control.” We teach folks how to drive a forklift, to wear safety goggles, to sit properly in their chairs. We hire third parties to help us manage our fiduciary risk – yours truly. So what can be done to help mitigate the risk of cyber theft of an individual account of a corporate retirement plan?

By Charles J. Privitera Jr.


First, most companies provide some level of training to their employees regarding electronic data security, using social media, and privacy and protection of data. This type of training should absolutely include training around protecting individual employee data and the importance of protecting their 401(k) plan data.

Second, and this is covered by other individuals in this issue, make sure the vendor has controls in place. Verify that they’ve tested their systems, how they share data with third parties (intranet portals, HRIS systems, third-party administrators, financial wellness vendors) and how they plan to be accountable for any breaches.

Finally and most importantly, engage the participants in the retirement plan. A couple of vendors have artificial intelligence that learns the behavior of participants when they log on to the website, or it recognizes their voice when they call in

to the call center. If someone other than the participant tries to navigate the website or call into the call center, red flags will go up. This is phenomenal first-defense technology, save for one very important detail – most participants (higher than 80% at some companies) have never logged on or called in. Yikes! This is one of the first things we do with clients of Westminster Workplace Solutions: have the participants log on or call in. At the very least, we are helping create a baseline for security. As with most things, knowledge and engagement will help solve a lot of problems. Once the participants are engaged in the retirement plan, the benefits both they and the plan sponsor will see go well beyond cybersecurity risk mitigation. With engaged participants, the retirement plan has the ability to go from a must-have benefit to a secure, life-changing tool, with employees who are less stressed financially and who understand their employer cares about their financial wellbeing.


A R T I C L E T I T L E

According to the Identity Theft Resource Center, there were 1,222 data breaches in 2017−exposing more than 172 million records. This easily surpasses the all-time record high set in

2016 of 1,093 data breaches. And that was a whopping 40% increase over 2015’s 780 reported breaches.

Cybersecurity fraud was once a problem reserved for the largest government agencies, credit card companies and banks. However, as these organizations have hardened their security capabilities, fraudsters have shifted their focus to the next tier of banks, as well as financial firms that play in the brokerage, retirement and insurance spaces.

Many of these firms are now scrambling to learn from the big banks and quickly implement similar or next generation cybersecurity methods and capabilities.

Defining Cybersecurity

Before you can implement cybersecurity tactics, it’s helpful to know what this heavily (and often overly) used term really means.

For the purposes of this article, let’s define cybersecurity. It’s the art and science of protecting one’s data from attacks on confidentiality, integrity and availability. These attacks can come by various means, whether it’s social engineering, phishing, unpatched software, social media threats or more advanced persistent threats. But the goals are typically the same: achieving some form of economic or political gain, social justice, or cyberbullying.

Cybersecurity: The Industry’s Next FrontierBy Eric Brickman


C y b e r s e c u r i t y : T h e I n d u s t r y ’ s N e x t F r o n t i e r ERIC BRICKMAN

The Balancing Act: How Cybersecurity Impacts a Company’s Investment in Technology

Companies today need to adjust how they balance cybersecurity with functionality and ease of use when it comes to investing in technology and designing and developing systems.

We all want and expect the systems and applications we rely on to perform and support our needs. We want a robust suite of functionality that’s easy and intuitive to use, and keeps our information safe and secure. The trick is building and delivering digital solutions that provide all three in a way that is properly BALANCED.

Just How Important is Cybersecurity?

As many of us are aware, there is a common behavioral theory in psychology called the Maslow’s Hierarchy of Needs. It says that people naturally need to satisfy their need for safety and security first before they can move onward and upward to the next level/tier of need.

I tend to believe there’s a comparable hierarchy that exists in the digital space; I call it the “Digital Hierarchy.”

And just as with Maslow’s hierarchy, it assumes that if people don’t believe their personal information is secure within the systems they use or access, then no amount of functionality or experience will effectively drive user behavior, utilization or engagement.

Without trust, adoption will be zero.

This means that firms may have to invest more time and money enhancing and maintaining cybersecurity than they have in the past. Unless additional resources are made available to accommodate this work, firms will likely have to shift how they allocate resources. They might have to favor additional cybersecurity efforts over the pace at which desired functionality and enhancements can be delivered.

As cybersecurity becomes a larger part of each project, it will require more focus and a greater portion of a project’s resources. Without a balanced approach, this could negatively impact the user experience. That’s because additional security measures often add additional steps to traditional digital functions: the login/authentication, purchases/transactions, etc. And typically, one’s level of delight or satisfaction with the user experience of a particular system or application decreases as the number of steps increases.

Key Trends: Cybersecurity in 2018

There are a number of mature and emerging trends in the cybersecurity space. Here’s a quick summary of the ones many firms are investing in now and/or are exploring for the near future:

• Improving Authentication (User Login/Access): Strong passwords, multi-factor authentication, multi-tiered authentication, security questions, captcha, SAML-based single sign-on, security/fraud alerts/monitors, biometrics (voice, fingerprint, facial), timeouts, IP address/geography blocks

• Improving Network/Data Center Security: Intrusion detection/intrusion prevention systems (IDS/IPS), hardened perimeter protection, distributed denial of service (DDoS), network forensics and analytics

• Improving Encryption: Across the span of digital storage devices (SANs, desktops, laptops, mobile, removable media), encrypting data in-transit, encrypting data at-rest, password hashing

• Expanded Use of Secure Coding: Ongoing practice of educating software developers to learn from historical and newly identified vulnerabilities to guard against the accidental introduction of such security vulnerabilities

• Improving Fraud prevention: Business measures, procedures and analytics used to recognize and/or prevent potentially fraudulent activities, incident management systems (IMS) to address/deal with fraudulent activities as they occur, identity theft and credit protection monitoring, industry consortiums to share experiences with fraudulent activities amongst peers

• Expanded Use of Artificial Intelligence (AI): Defined as pre-defined sets of complex rules/decision-trees applied to large amounts of data; can be used as a method to identify known patterns of activities/behaviors which can be used to predict or detect fraudulent activities

• Expanded Use of machine Learning (mL): Defined as dynamically generating sets of complex rules/decisions from large amounts of data; can be used as a method to identify new patterns of activities/behaviors to predict or detect fraudulent activities

• Securing the Internet of Things (IoT): Defined as a system of interrelated/connected computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers that facilitate the transfer of data over a network without requiring human-to-human or human-to-computer interaction; by its highly connected nature, the IoT injects additional security risk into any system connected into an IoT ecosystem



Cybersecurity and Benefits plans: The Next Front in the Ongoing Battle

to protect personal InformationBy Jenny Lewis Holmes


JENNY LEWIS HOLMESC y b e r s e c u r i t y a n d b e n e f i t s p l a n s : T h e N e x t f r o n t i n t h e o n g o i n g . . .

information to set up fake participant internet profiles to take out fraudulent loans. The hackers walked away $2.6 million richer, and the plan administrator was left to restore the plan. SOURCES OF RISk

When thinking about cybersecurity risks, it’s easiest to think of the bad actor sitting in a dark basement, hacking through the use of malware or spoofing or phishing emails. And yes, it’s true that what these bad actors do is primarily out of a plan sponsor’s control. But there is more to cybersecurity risk than just this.

“No organization or industry, including the benefit plan

industry, is immune to the risk (of a cyber attack).”

It feels like every day we learn of a new data breach. We’ve seen large corporations, credit monitoring services and even cities fall victim

to cyberattack. No organization or industry, including the benefit plan industry, is immune to the risk. In light of the recurring data breach headlines, plans sponsors must take note of the potential disaster of a data breach. With employees’ identities and financial futures, not to mention an employer’s reputation, at stake, cybersecurity is too important to be ignored.

WHy BENEFIT pLANS?

So why are benefit plans considered high risk for a data breach? Let’s consider the New York State Data Breach Notification Law found in Section 899-aa of the General Business Law. Under this law, protected information consists of any information concerning a “person, which because of name, number, personal mark or other identifier, can be used to identify such natural person” in conjunction with: (i) a Social Security number; (ii) driver’s license or other identification number; or (iii) account, credit or debit card number in combination with any required security code, access code or password that would permit access.”

Now let’s think about the information a plan collects about its participants. Name? Obviously. Address? Yes. Social Security number? Yes. Driver’s license or other identification number? Most likely. Financial information? Of course. Benefit plans are attractive for hackers because they centrally store every piece of protected information that a bad actor could potentially need to do serious damage to an individual’s identity. Hacking a benefit plan is not only effective, but efficient.

Plus, benefit plans have targets for hackers beyond just personally identifiable information. In one reported breach, a plan lost $2.6 million in assets when hackers used personally identifiable

Employees handling protected information can be a plan’s first line of defense, but can also be the plan’s greatest vulnerability. After all, there has to be someone on the receiving end of a spoofing or phishing email. Imagine the employee who receives an email purporting to be from the company’s benefits manager. The email asks for each plan participant’s Social Security numbers, date of birth, address and account balance. The employee thinks this email is a little odd, but sends the information to the manager as requested. With one click of the “send” button, plan participants’ identities and plan assets have been put at risk.

Arguably, cybersecurity training for employees, focusing on both prevention and response, can be one of the most effective parts of a cybersecurity plan.

IS pROTECTINg pLAN INFORmATION AgAINST HACkERS A FIDUCIARy DUTy?

Short answer? Not quite. But should cybersecurity be treated as a fiduciary duty?

Yes.

There is no current federal regulatory scheme governing cybersecurity for retirement plans and service providers. Rather, at least at the

federal level, cybersecurity laws and regulations are largely industry-specific, and there is nothing speaking directly to benefit plans. But there is some guidance that directs plan sponsors, administrators and third-party service vendors to treat cybersecurity with the same care as other fiduciary duties.

Section 404 of ERISA requires a plan’s fiduciaries to act with “the care, skill, prudence and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use.” In doing so, plan fiduciaries must act for the exclusive purpose of providing benefits to participants and their beneficiaries. The growing trend suggests that fiduciaries must protect participant data as part of their duty of loyalty and prudence.


C y b e r s e c u r i t y a n d b e n e f i t s p l a n s : T h e n e x t f r o n t i n t h e o n g o i n g . . . JENNY LEWIS HOLMES

“As technology expands, so does the need for

greater attention to personal information.”

The Department of Labor (DOL) issued some guidance indicating the importance of cybersecurity as it relates to benefit plans. In 29 C.F.R. §2520.104b-1(c), the DOL provides that plan sponsors that distribute plan information electronically are required to ensure the electronic system used for furnishing the information “[r]esults in actual receipt of transmitted information” and “[p]rotects the confidentiality of personal information relating to the individual’s accounts and benefits. A failure to comply with this regulation can be the basis of a claim for failure to provide the required disclosure, ultimately subjecting the fiduciary to civil penalties.

Further, the DOL’s Technical Release No. 2011-03, which deals with a secure, continuously available website used to communicate information about participant-directed investment alternatives under a retirement plan, explicitly includes, as a condition for utilizing the electronic media, that the plan administrator take “appropriate and necessary measures reasonably calculated to ensure that the electronic delivery system protects the confidentiality of personal information.”

The DOL is not the only entity contemplating cybersecurity. The ERISA Advisory Council (the “Advisory Council”) has been confronting the issue of cybersecurity in the context of benefit plans since at least 2011. In 2016, the Advisory Council held hearings to hear testimony from various experts and other interested parties on the issue. In January 2017, the Advisory Council published “Cybersecurity Considerations for Benefit Plans.” The report provides information to plan sponsors, fiduciaries and plan service providers on approaches for managing cybersecurity risks and recommends that plan

sponsors and fiduciaries consider cybersecurity in safeguarding plan benefit data and assets when making decisions to select or retain a service provider. However, the report stops short of directly addressing whether cybersecurity monitoring is a fiduciary duty.

WHAT pLANS CAN DO TO pROTECT pERSONAL DATA

If a plan has not already, now is certainly the time to develop a data protection plan. Plans can establish strategies for data protection by considering the following:

• What data is collected?• Why is it collected?• Where is the data stored?• How is data accessed? Who is allowed to

access it?• How long is the data retained? How is it

destroyed or permanently protected?

By identifying these key elements of data collection, plans can better understand what protections need to be in place. For example, simply limiting what employees have access tois a way to reduce the risk of unauthorized access greatly. Likewise, having established timeframes for retention and protocols decreases the amount of data a plan must protect.

Once the data is understood, the next step is to develop the policies to govern and regulate the collection and storage of the data. Often, a plan can leverage the employer’s procedures and policies to make them functional with the needs of the plan. But the policies cannot just remain in an employee handbook or worse, hidden on a shelf. In order to be effective, these policies must be communicated to employees, and regular training sessions must be held.

Consider the employee above, who received the spoofing email asking for all participants’ W-2s. What if he knew what to look for in a spoofing email before the attempted breach? Here, proper training could save the plan—and the plan sponsor—millions of dollars.

Additionally, for the plan’s computerized systems, plans should consistently run penetration testing to determine vulnerabilities in any software or platforms as well as testing of backups and recovery plans. Testing is the only way to confirm that the plan’s systems are working and, if needed, the results of these tests can strengthen and enhance any written policies.

Inevitably—and despite even the best of trainings and testing—a breach will occur. This is why, in its repertoire

of policies, a plan should have a data breach response plan. A well-understood response plan can seriously mitigate the effects of a breach. The plan should delegate responsibilities to a cross-functional team of decision-makers, including representatives from IT, HR and legal. The team should be able to work together to identify ongoing risk, mitigate or stop this risk, communicate to plan participants and beneficiaries and comply with all laws. However, as with all written policies, this will only work if practiced before a breach.

Plans are uniquely positioned in that they are also responsible for the security practices of their third-party service providers. To start, plans should review their service provider agreements and consider the extent to which the agreement should address compliance with applicable laws

or relevant industry standards. The agreement may also allocate responsibilities and liabilities in the event of a breach.

Plans should evaluate their service providers by reviewing data security policies, including those relating to encryption and transmission protocols, as well as monitoring and testing compliance.

WHAT’S NExT

The threat of cybersecurity is not going to dissipate any time soon. As technology expands, so does the need for greater attention to personal information, especially where large amounts of personal data are stored in the same location. The risks of cyberattack on benefit plans cannot be ignored; for both employers and employees, there is simply too much at stake.



A special thanks goes out to all our amazing contributors.

Baker Tilly

Charles Schwab & Co., Inc.

Drinker Biddle & Reath LLP

EFPR Group, LLP

Fiducia Group, LLC

KAFL Insurance Resources

Lincoln Financial Group

Newport Group

Nixon Peabody LLP

Westminster Consulting, LLC

M e e t F i d u c i a G r o u p

Fiducia Group provides unbiased advice and fiduciary expertise for employer-sponsored retirement plans. Our support and guidance helps plan

participants achieve retirement readiness. Our tested process also makes plan sponsors’ lives easier by saving them time and lead to high quality, cost effective and compliant retirement plans.

Fiducia Group couples extensive experience with a singular focus on serving employer-sponsored retirement plans. Retirement plans require a higher level of expertise and focus from an advisor. Sponsors have and enormous responsibility of managing someone else’s money and can greatly influence their standard of living in their retirement years. A retirement plan advisor should not be just another vendor relationship, judged on fees and personality. You need and deserve an expert.

Focused AdviceFiducia Group’s core business, our only business, is helping retirement plan sponsors manage their plans. We are retirement plan specialists, it’s what we do... it’s all we do.• 100% of our revenues come from assisting

employers with theirretirement plans.• Our services and innovation are targeted to support

mid- to large-sized employers with multiple

fiduciaries or committees.• Each of our consultants is an owner of the firm and

is committed to our• clients and the retirement industry.

Traditional ValuesWe focus on personal relationships with our clients, built upon trust and integrity. • We care about retirement plan participants and

their success.• We care about our clients and the challenges they

face with fiduciary responsibility.• We charge a reasonable flat fee; not a commission

or asset-based fee.• We are leaders in our industry and take an

active role in improving our profession and the regulations of workplace retirement plans.

At Fiducia Group, we provide seasoned expertise and insight in helping investment fiduciaries better manage their legal responsibilities through considered advice, secure technology, and on-going fiduciary education.

“Our only mission is to provide

advice and support that wi l l

reduce sponsor ’s burden and

improve employee’s ret irement

readiness.” -J im Bartoszewicz

�duciaGROUP

Fiducia Group...Celebrating 10 Years

Fiducia Group is celebrating its 10th anniversary of providing investment andfiduciary advice to sponsors of workplace retirement plans. We are very experienced retirement plan specialists, it’s what we do... it’s all we do. Our firm was founded with a core philosophy of traditional values: personal relationshipswith our clients, built upon trust and integrity. These values have served us well.

In addition to servicing our clients’ needs, we also understand the importance ofgiving back to our community. At Fiducia Group, we have and will continue tocontribute both time and resources in supporting various charitable and faith-based organizations throughout the Pittsburgh region.

We eagerly look forward to what the next ten years may bring. As Fiducia Groupcontinues to grow, we will evolve with changes in the marketplace and theretirement landscape so that we can continue to best service our clients' needs.

Thank you to all of our clients, service partners, friends and family whohave been a part of our journey!


54 | Summer 2018

Fiducia Group, LLC100 W Station Square Drive, Suite 615

Pittsburgh, PA 15219 Phone #: 412.540.2300

www.fiduciaretirement.com/Publications/Confero

�duciaGROUP