Hamsters , Cyber Security and Retirement Plans

I typically mute the remote during commercials but a recent ad caught my attention. In "Who's sharing your cloud?" the Ogilvy Group adds glam (actor Dominic Cooper), cute (tiny hamster) and a morality tale (video unexpectedly goes viral) to showcase the downside of not having a dedicated cloud server for a business. This short promotion is a great illustration of risk management at its core.

  • Something seemingly benign creates a costly problem.
  • By not being pro-active, an organization incurs a loss.
  • The cause could have been evaluated and addressed ahead of an adverse effect.

While this television spot and similar messages about technology risk are typically geared to the business community at large, retirement plan sponsors should take heed. Sensitive data about participants, in the wrong hands, can be disastrous. According to "Top 10 Cybersecurity Trends for Financial Services in 2015" (Think Advisor, November 25, 2014), concerns about the integrity of third party infrastructure are paramount. The new year is expected to yield "active cyber risk mitigation and monitoring" as a replacement of the "current self-certification process. (The latter technique is thought to be less reliable.) Concentrating on the protection of "high-risk and high-value" data collections is likewise expected to occur instead of a broad and generalized approach.

In a twist of innovation, insurance companies are "racing to actuarially quantify new cyber risks" and offer policies to insure explicit dollar damages as well as indirect losses due to diminished "brand, reputation and goodwill." Click to read "Insurance for Cyber-Related Critical Infrastructure Loss: Key Issues" (Insurance Industry Working Session Readout Report, Department of Homeland Security, July 2014).

In its editorial about the "Challenges of cybersecurity" (August 18, 2014), Pensions & Investments laid out a list of enterprise risk management priorities that should consume those in charge of pensions, endowments, foundations, mutual funds, custodian banks and alternative investment pools. These include, but are not limited to:

  • Preventing access to proprietary data by unauthorized persons;
  • Avoiding the likelihood of leaks by institutional service providers that could "compromise confidential investment details" or make hacking easier;
  • Establishing parameters to block front-running; and
  • Attempting to seal off access to data about beneficiaries and other confidential information from intruders.

A critical task for a plan sponsor is to gather sufficient knowledge about how a candidate asset manager or other type of vendor secures its operations from unwanted hackers. Asking questions as part of an RFP makes sense although responses could be too technical for a member(s) of a plan committee to meaningful interpret. As a result, a plan sponsor could end up having to hire another vendor - an organization to make sense of the replies about cyber security from the first vendor. Moreover, the issuance of an RFP may not occur frequently enough to adequately monitor a retirement plan's exposure to cyber security risks. Kent Costello shares his views in "Automating the Institutional Investing RFP" (June 26, 2014, Information Week: WallStreet & Technology).

Lack of transparency is another issue. In "What investors need to know about cybersecurity: How to evaluate investment risks" (June 2014), authors with PriceWaterhouseCoopers or the IRRCi bemoan the "hidden" sources of cybersecurity threats. They add that prevailing disclosure standards "are not designed to adequately differentiate between companies' relative readiness, nor are they effective at helping predict which companies are likely to suffer negative impacts due to a security shortcoming."

None of these warnings are comforting, especially when one considers the layers of vulnerability. A plan sponsor, at the corporate or government employer level, has a chance of having non-retirement plan data stolen by a cyber thief. At the retirement plan level, a sponsor could see its participant data compromised. As a customer, there is a chance for a technology snafu with one or more of its service providers to trickle down to the plan sponsor. As an investor, regardless of plan design, there is the risk of being exposed to cyber meltdowns experienced by a company or asset manager. A defined benefit plan with an investment in Target or Sony for example could pay for security breaches in the form of lower stock prices. A 401(k) plan sponsor that selected a mutual fund that owns shares in a cyber victim company may have to change its investment line-up.

On November 9, 2011, the ERISA Advisory Council presented its report on "Privacy and Security Issues Affecting Employee Benefit Plans." A handy "Chart of Practices Useful to Certain Plan Administrators to Minimize Security Breaches" is included. As part of its focus on cybersecurity, the U.S. Securities and Exchange Commission ("SEC") released a sampling of questions it plans to ask during regulatory examinations. Refer to the agenda of "OCIE Cybersecurity Initiative," National Exam Program Risk Alert, April 15, 2014.

Happy New Year fiduciaries. More work is on its way.

Enterprise Risk Management, Board Governance and the Art of Cleaning Dirty Dishes

Old habits sometimes die hard. In my husband's case, he insists on soaking the dishes before putting them into the dishwasher. I prefer to scrub them with a sponge, rinse and put them aside until the current load is finished, the machine is emptied and there is room to add the next set. After twenty-two years of otherwise marital bliss, you would think that we would have the whole kitchen clean-up dance choreographed and down to a science. Yet, here we are on a Sunday night, talking about the best way to clean the dishes...again. The good news is that we have squeaky clean dishes. The less than good news is that it would be better in my view to discuss the issue thoroughly, agree on a process and then allocate work accordingly instead of each of us spending time on a basic task that should be easy enough to master without repeatedly going over the same thing.

Now if talking about cleaning dishes is the extent of disagreement in any relationship (marriage or otherwise), life is good. It does get you thinking however about interpersonal dynamics, leadership and how to accomplish a goal, especially when things are more complicated.

Managing enterprise risk management ("ERM") is a good example of a task that requires care and coordination and is arguably more complex than pulling out a scrub brush. According to a recent McKinsey & Company survey about improving board governance, others concur. In their August 2013 write-up of results, authors Chinta Bhagat, Martin Hirt and Conor Kehoe write that "...most boards need to devote more attention to risk than they currently do. One way to get started is by embedding structured risk discussions into management processes throughout the organization."

In "Risk Management and the Board of Directors" by Martin Lipton et al (Bank and Corporate Governance Law Reporter, February 2011), the role of oversight is distinguished from "day-to-day" risk management. The authors write "Through its oversight role, the board can send a message to the company's management and employees that comprehensive risk management is neither an impediment to the conduct of business nor a mere supplement to a firm's overall compliance program, but is instead an integral component of the firm's corporate strategy, culture and business operations."

According to a 2009 publication entitled "Effective Enterprise Risk Oversight: The Role of the Board of Directors" by the Committee of Sponsoring Organizations of the Treadway Commission ("COSO"), board oversight entails several important actions. These include the following:

  • Comprehend an organization's philosophy about risk and "concur with the entity's risk appetite," otherwise defined as its risk tolerance for alternative ways to create shareholder wealth;
  • Assess whether management has put effective risk management processes in place in order to identify, measure and manage key sources of uncertainty;
  • Regularly carry out a study of an organization's portfolio of risks in the context of stated risk tolerance goals; and
  • Evaluate whether management is "responding appropriately" to factors that could seriously erode enterprise value.

Hopefully, readers agree that the topic of risk management oversight should be important to pension plans and other types of institutional investors that invest in companies directly or by purchasing corporate stocks and bonds. Looking askance or ignoring the topic altogether is ill-advised.

In a recent conference call about vendor selection for a relatively large ERISA plan, I was surprised when one of the callers admitted to not having yet vetted the risk management controls in place for a candidate service provider. Worse yet, he thought doing so was a bad idea since "the numbers spoke for themselves."

Certainly insurance underwriters are taking a further look at their exposure. Professors David Pooser and Kathleen McCullough, on behalf of the Professional Liability Underwriting Society ("PLUS") Foundation, explain that more attention is being paid to the oversight role of directors in the aftermath of recent financial crises. In "How is Enterprise Risk Management Affecting the Directors' and Officers' Liability Exposure?" (September 1, 2013), they write that "Better governance control through ERM should make a firm a more appealing risk for D&O insurers to write. ERM becomes especially important if it signals that the corporation is less risky and better controlled than others, and therefore may be a useful tool to D&O insurers, regulators, and other monitors."

Understanding Directors and Officers ("D&O") oversight of a firm's enterprise risk management activities is not exactly the same thing as settling on how best to get the dishes clean. However, both activities are important, require that collaborative discussions take place and actions ensue.