Under Russia’s Threat, Revisit the DOL’s Cyber Basics
March 23, 2022
The White House has repeatedly warned that the Russian government may be exploring launching cyberattacks against U.S. critical infrastructure. In 2021, the Department of Labor (DOL) refreshed its cybersecurity guidance for plan sponsors, fiduciaries, service providers, and participants. We’ll review the threat, the DOL’s guidance, and offer some thoughts of our own.
SUMMARY
The White House has issued multiple warnings of potential Russian cyberattacks against critical U.S. infrastructure
While state actors likely won’t focus on retirement plans the way criminal actors have, associated financial institutions, companies, and governments may be prime targets.
Though plan fiduciaries may offload financial liability for cyber breaches to vendors, they’re still subject to ERISA’s duties of prudence and care in selecting and monitoring vendors
The DOL’s 2021 releases regarding cybersecurity offer reminders of fiduciary responsibilities and basic best practices for sponsors, providers, and participants.
The government’s warning
On March 21st, the White House issued a statement amplifying previous warnings that the Russian government is exploring “options for potential cyberattacks” targeting U.S. critical infrastructure. Intelligence officials have indicated that there is no current evidence of any specific Russian or Russian-sponsored cyberattack. However, with Russia’s military efforts in Ukraine falling well south of expectations, Russian leadership exhibiting signs of severe frustration and pressure, and rhetoric and threats against the “West” heating up, it’s not hard to believe that the government’s warnings should be taken seriously.
Even in less perilous times, Russian actors have been implicated in a litany of malicious activities. Attacks include the 2020 compromise of SolarWinds’ software supply chain, the 2020 targeting of U.S. companies researching COVID-19 vaccines, the 2018 targeting of U.S industrial control systems infrastructure, the 2017 NotPetya ransomware attack on organizations worldwide, and the 2016 leaks of documents stolen from the U.S. Democratic National Committee. The Center for Strategic and International Studies keeps a relatively comprehensive list of cyber-attacks here.
Though criminal cyber fraud directed at retirement plans and participants has increased in recent years, the diffuse nature of the retirement industry may make it a somewhat less attractive direct target for state or state-sponsored actors. State-backed “wartime” cyberattacks may focus on targets where the most significant impact can be made for the most efficient effort. For example, European and U.S. regulators have warned banks to prepare for Russian cyberattack threats since early this year, prior to the Russian invasion of Ukraine.
Nonetheless, it makes sense that such cyberattacks could impact retirement plans. Factors include:
Many providers (as major financial institutions) and sponsors are prime targets in their own right.
Most retirement plans are sponsored by smaller organizations, which may lack larger organizations' cybersecurity resources and expertise. According to Verizon’s Data Breach Investigation Report, small businesses were the targets of 43% of all cyberattacks, making the group the most common target Verizon studied.
The collective volume of personal identifiable information (or PII, including Social Security numbers, birthdates, addresses, etc.) involved in administering the nation’s retirement plans is incredible.
Over a third of household wealth is invested in retirement accounts, according to the Investment Company Institute. Defined contribution plans are worth over $10 trillion, and more than half of the nation’s employers sponsor DC plans.
the dol’s guidance
In 2021, the Department of Labor released a refresh of its cybersecurity guidance. While it didn’t change plan sponsor or fiduciary responsibilities, it did offer an improved framework for managing processes and decisions. In addition to tips and best practices, the guidance reinforced ERISA’s requirement that fiduciaries adhere to the duty of prudence when selecting and monitoring those service providers.
The release came in three components. Aimed at a broad audience, the guidance is relatively easy to digest (considering the topic). Rather than summarize, we thought it best to link directly:
Cybersecurity Program Best Practices - Best practices for plan fiduciaries’ vendor hiring decisions and recordkeepers’ and other service providers’ management of cybersecurity risks
Tips for Hiring a Service Provider with Strong Cybersecurity Practices - Guidance to plan sponsors and fiduciaries regarding how to prudently select service providers with robust cybersecurity practices and procedures
Online Security Tips - Tips for participants on enhancing online account security and preventing cyber fraud
OUR PERSPECTIVE
While smaller-scale cyber fraud may be a more prevalent daily threat to retirement plans, sophisticated and well-resourced state actors pose a substantial challenge to the entire financial services industry. In light of the current situation with Russia and the potential for particularly destructive behavior that goes with it, we recommend that plan fiduciaries:
Review their own existing cybersecurity policies and procedures (sponsors are often more likely to be a weak link than providers)
Review fiduciary liability insurance policies to see if retirement plan cybercrime is covered
Review vendor selection and monitoring processes to ensure cybersecurity is appropriately addressed
Ensure that selection and monitoring processes are well documented and ask vendors to confirm, in writing, how they address the DOL’s 12 best practices
Identify vendors that maintain plan data, and review those contracts for indemnification provisions
Reinforce to participants the critical role they have in safeguarding their own information and assets against cyber fraud
In closing, we’ll reemphasize that the ERISA exposure to plan fiduciaries created by cyber threats is actual, and fiduciaries should carefully adhere to high standards of prudence and care as an ongoing practice. As Lewis Howard Latimer put it, “Habit is a powerful means of advancement, and the habit of eternal vigilance and diligence rarely fails to bring a substantial reward.”
Contact Jay Young (jay.young@vergencepartners.com) or me (tom.douglas@vergencepartners.com) with any comments or questions. Visit www.vergencepartners.com and follow us on LinkedIn to see what else we’re thinking about.
FOR INSTITUTIONAL USE ONLY
Vergence Institutional Partners LLC is registered as an investment adviser with MA, MI, RI, and TN. Vergence Institutional Partners LLC only transacts business in states where it is properly registered or is excluded or exempted from registration requirements.
This report is a publication of Vergence Institutional Partners LLC. Information presented is believed to be factual and up to date, but we do not guarantee its accuracy, and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the author as of the date of publication and are subject to change.
Information contained herein does not involve the rendering of personalized investment advice but is limited to the dissemination of general information. A professional adviser should be consulted before implementing any of the strategies or options presented.
Information is not an offer to buy or sell, or a solicitation of any offer to buy or sell the securities mentioned herein.
Past performance may not be indicative of future results. Therefore, no current or prospective client should assume that the future performance of any specific investment, investment strategy (including the investments or investment strategies recommended by the adviser), or product made reference to directly or indirectly, will be profitable or equal to past performance levels.
All investment strategies have the potential for profit or loss. Different types of investments involve varying degrees of risk, and there can be no assurance that any specific investment will either be suitable or profitable for a client's investment portfolio.
Historical performance results for investment indexes or categories generally do not reflect the deduction of transaction and custodial charges or the deduction of an investment-management fee, the incurrence of which would have the effect of decreasing historical performance results. You cannot invest directly in an index.
Economic factors, market conditions, and investment strategies will affect the performance of any portfolio, and there are no assurances that it will match or outperform any particular benchmark.
Vergence Institutional Partners LLC does not provide legal advice. The information herein is general and educational in nature and should not be considered legal advice.
20220322TLDTLD0042
© 2022 Vergence Institutional Partners LLC