Protecting Pensions Against The Threat Of Data Thieves
Businesses are well aware of how to protect against a physical break-in, however, when it comes to electronic attacks many organizations fail to fully understand the risks or ignore the potential threat all together. With corporations such as Honda and Sony recently falling victim to hackers, organization of all sizes are realizing the importance of keeping client data out of the wrong hands.
Having an established protection plan to safeguard from a massive data breach is a critical objective for many pension plans. "Just by the nature of our business and the type of information we deal with on a daily basis, it's clear there needs to be a sound security structure in place," says Zbigniew Duszak, vice-president of IT services at OMERS.
When dealing with sensitive client and member information ‒ including personal and financial data such as addresses, passwords, and employment records – pension plans are a gold mine of personal information and should be aware of the potential threats they face.
"We are living in the age of the Internet and hacking is becoming increasingly sophisticated," says Kenn Faris, assistant editorial director at BC Pension Corp's communications branch. In the past, hackers were primarily computer savvy kids developing viruses to show off their tech skills and gain attention. Today they've turned into highly skilled specialists and teams stealing personal information from large companies for profit. More than ever, employers and their plan members will expect providers to safeguard their personal information and stay ahead of the latest hacking risks.
Electronic files are highly sought-after for their wealth of personal information. Consider all the human resources files, accounting information, member lists, and financial records a pension plan could have on its servers at any given time; a jackpot for would-be data thieves. These documents are full of sensitive information which can be exploited for personal gain. A breach in company information has the potential to cause serious financial damage to clients whose data has been exposed to a third party. If nothing else, a security breach will almost certainly cause a public relations nightmare, perhaps tarnishing the organization's image forever.
In the past, companies have reacted to data breaches by simply sweeping them under the rug and keeping their fingers crossed that the situations stay under wraps. Organizations often make the big mistake of ignoring the non-quantifiable costs of a breach ‒ the public relations fiasco, client attrition, and the decline of employee morale ‒ which can sometimes be far more detrimental than costs associated with fixing the data breach.
Nowadays, the risks are too high to be left to chance and organizations are beginning to understand the need for prevention. Having the right measures in place ahead of time will require the company to spend additional resources and money in the short-term, but an investment now can protect business reputation and ensure member satisfaction for years to come.
Pension plans are integrating company-wide policies, third-party auditing, and staff training initiatives into their protection plans, as well as utilizing firewalls, encryption, anti-virus software, and authenticated systems. When developing new products, especially for Internet use, additional measures are put in place to ensure potential security holes will not be introduced. At OMERS, for example, an in-house security committee, as well as an external evaluation group, review the method and delivery of the product before it goes into production.
Employee accountability has become an important component in security policies and access to sensitive data can be traced back to the individual. There is a movement towards ensuring all staff is properly trained to handle the sensitive data they come across through their daily tasks. "Security is about more than just the technology," Faris says. "Our staff swears an oath of confidentially when they join us and they sign a clear policy on the use of technology and information for their jobs. We also have a security screening policy whereby staff who handle personal or confidential information are subject to a criminal record check."
Attending conferences and networking with other industry peers can also be an effective means to strategize around hackers and other nefarious acts. Pension plans are constantly addressing new trends, new technologies, and new initiatives being used by other organizations as they evaluate their policies. Ultimately, Faris says administrators need to be hyper aware of existing threats and work with security experts to try to understand and stay in front of developments in the hacking world.
"Everyday, our work is to make sure we do what we can to respect the integrity of (clients') personal privacy," Faris says. In British Columbia, the BC Pension Corp. is governed by the Freedom of Information and Protection of Privacy Act which aims to safeguard information in organizations across the province. Provincial legislation means organizations need to adhere to specific terms and procedures when revealing data.
As organizations and members alike continue to use more Internet-based tools, the need for a more robust security plan keeps growing. "Ten years ago, most employees probably were not as comfortable with online banking, for example, so as technology evolves along with its usage, individuals are becoming more aware of needing to protect information," says Nigel Branker, senior consultant and actuary at Towers Watson.
Sponsors are using more third-party vendors and specialists to help them support pension programs, and they are also delivering more tools and information to members via the web, Branker says. Companies can provide plan sponsors with advice for protecting personal and financial information before and after threats with some best practices, including:
- Reliable Vendors: Organizations should ensure they are working with reliable third-party vendors with a proven track record when it comes to information security. Sponsors should also stay informed and involved when entrusting data to a third party.
- Accountability: Branker says sponsors should be accountable for data relevance. Often much of the work produced on behalf of clients does not require access to sensitive personal information, so if the data is not necessary for the project, it should not be available. Employees should only be given what is needed to perform the function they are being retained for.
- Defence: Technology is being used to various extents to administer plans, either through administration payroll systems or member self-service web tools. It is crucial to have a multi-tiered defence system in place, including multiple firewalls, virus protection, intrusion protection, and intrusion prevention.
- Communication: In the event of a breach, the speed and effectiveness of an organization's response can make a difference in the client's reaction. Good governance structures should be in place to help guide employees on how to respond to incidents and update sponsors and their members on how the situation is being controlled and how they might be affected.
Today members are being asked to play a more active role in their pension plan decisions than ever before and the security aspect is no exception. With a greater degree of access to their personal information comes more emphasis on personal accountability. Some of the standard procedures members should consider when accessing their information online include:
- Strong passwords that are not related to easily accessible information such as a street, spouse, or child's name
- Refraining from leaving sensitive information on shared printers, fax machines, or removable media
- Ensuring information is only shared on secure sites
- Always logging off websites after use
- Disposing of confidential documents at a secure facility or with a shredder
- Alerting their plan sponsor if there is a possibility their data could have been compromised by a computer theft or hack
Sponsors, as well, can put a number of security measures in place, such as password lockout, timeout features, or secure activation receipts, but ultimately all of the risks associated with member use cannot be eliminated. The more clients and members are informed of their responsibilities to maintain data confidentiality, the better risks can be reduced.
As the history of data security threat proves, what happens once will almost always happen again. With knowledgeable staff, secure policies, and common sense on the part of sponsors and members, pension plans can easily protect sensitive data and respond swiftly to any potential threats.
‒ Benefits and Pensions Monitor Staff