I typically mute the remote during commercials but a recent ad caught my attention. In "Who's sharing your cloud?" the Ogilvy Group adds glam (actor Dominic Cooper), cute (tiny hamster) and a morality tale (video unexpectedly goes viral) to showcase the downside of not having a dedicated cloud server for a business. This short promotion is a great illustration of risk management at its core.
- Something seemingly benign creates a costly problem.
- By not being pro-active, an organization incurs a loss.
- The cause could have been evaluated and addressed ahead of an adverse effect.
While this television spot and similar messages about technology risk are typically geared to the business community at large, retirement plan sponsors should take heed. Sensitive data about participants, in the wrong hands, can be disastrous. According to "Top 10 Cybersecurity Trends for Financial Services in 2015" (Think Advisor, November 25, 2014), concerns about the integrity of third party infrastructure are paramount. The new year is expected to yield "active cyber risk mitigation and monitoring" as a replacement of the "current self-certification process. (The latter technique is thought to be less reliable.) Concentrating on the protection of "high-risk and high-value" data collections is likewise expected to occur instead of a broad and generalized approach.
In a twist of innovation, insurance companies are "racing to actuarially quantify new cyber risks" and offer policies to insure explicit dollar damages as well as indirect losses due to diminished "brand, reputation and goodwill." Click to read "Insurance for Cyber-Related Critical Infrastructure Loss: Key Issues" (Insurance Industry Working Session Readout Report, Department of Homeland Security, July 2014).
In its editorial about the "Challenges of cybersecurity" (August 18, 2014), Pensions & Investments laid out a list of enterprise risk management priorities that should consume those in charge of pensions, endowments, foundations, mutual funds, custodian banks and alternative investment pools. These include, but are not limited to:
- Preventing access to proprietary data by unauthorized persons;
- Avoiding the likelihood of leaks by institutional service providers that could "compromise confidential investment details" or make hacking easier;
- Establishing parameters to block front-running; and
- Attempting to seal off access to data about beneficiaries and other confidential information from intruders.
A critical task for a plan sponsor is to gather sufficient knowledge about how a candidate asset manager or other type of vendor secures its operations from unwanted hackers. Asking questions as part of an RFP makes sense although responses could be too technical for a member(s) of a plan committee to meaningful interpret. As a result, a plan sponsor could end up having to hire another vendor - an organization to make sense of the replies about cyber security from the first vendor. Moreover, the issuance of an RFP may not occur frequently enough to adequately monitor a retirement plan's exposure to cyber security risks. Kent Costello shares his views in "Automating the Institutional Investing RFP" (June 26, 2014, Information Week: WallStreet & Technology).
Lack of transparency is another issue. In "What investors need to know about cybersecurity: How to evaluate investment risks" (June 2014), authors with PriceWaterhouseCoopers or the IRRCi bemoan the "hidden" sources of cybersecurity threats. They add that prevailing disclosure standards "are not designed to adequately differentiate between companies' relative readiness, nor are they effective at helping predict which companies are likely to suffer negative impacts due to a security shortcoming."
None of these warnings are comforting, especially when one considers the layers of vulnerability. A plan sponsor, at the corporate or government employer level, has a chance of having non-retirement plan data stolen by a cyber thief. At the retirement plan level, a sponsor could see its participant data compromised. As a customer, there is a chance for a technology snafu with one or more of its service providers to trickle down to the plan sponsor. As an investor, regardless of plan design, there is the risk of being exposed to cyber meltdowns experienced by a company or asset manager. A defined benefit plan with an investment in Target or Sony for example could pay for security breaches in the form of lower stock prices. A 401(k) plan sponsor that selected a mutual fund that owns shares in a cyber victim company may have to change its investment line-up.
On November 9, 2011, the ERISA Advisory Council presented its report on "Privacy and Security Issues Affecting Employee Benefit Plans." A handy "Chart of Practices Useful to Certain Plan Administrators to Minimize Security Breaches" is included. As part of its focus on cybersecurity, the U.S. Securities and Exchange Commission ("SEC") released a sampling of questions it plans to ask during regulatory examinations. Refer to the agenda of "OCIE Cybersecurity Initiative," National Exam Program Risk Alert, April 15, 2014.
Happy New Year fiduciaries. More work is on its way.