The main purpose of theft and robbery is to take prime assets away to make money or become rich. In today’s world, data thieves operate on the same principle – to take personal and financial data in exchange for money or recognition. Data is the main asset of consumers today. The retail industry is a target for payment card data, the finance industry for financial assets and investment data and even the media industry is not spared and prime-time shows like HBO's Game of Thrones’ episodes were hacked and leaked. Even the recent Equifax data breach only shows that personal data can be as valuable as any financial asset.
Take the example of UFCW Local 655 Food Employers Joint Pension Plan – they suffered a ransomware attack late last year and that shows that the retirement industry can be a target too. There sure is a lot of data for hackers to benefit from! A ransomware attack is a type of hacking or cyber security threat where hackers get unauthorized access of victim’s information systems and encrypt its data, preventing the owner of the information from accessing it. Unless the victim pays a sum of money as ransom or bitcoins worth $2000 in the case of UFCW Local 655, the encrypted data is not released.
In this particular case, the data at risk was dates of birth of individual members, their social security numbers and bank account information all of which are part of any retirement or 401(k) plan. There is also a wide range of service providers that render various types of services to retirement agencies – auditors, actuaries, investment managers, law firms, accountants, and brokers to name a few. These stakeholders have access to all the personal member information and disclose them at various levels while servicing the retirement industry. Do these organizations have sufficient safeguards in place to keep the data safe? What is the retirement industry doing in terms of effective practices and data encryption?
Pension agencies can definitely take some proactive steps to keep their member data safe from hacking and ransomware. In our experience, here are some best practices we discuss and implement for our clients.
- Install software updates as they are received to ensure your software is always up to date with the latest security fixes.
- Store your back-up on a different server or in a different location than your production database.
- Provide data security training for all staff.
- Ensure you know what your partner ecosystem is doing to secure your data from an attack.
- The insurance industry continues to evolve as the attack methods evolve. Ask questions before purchasing insurance to be sure you’re getting the best product for your needs.
At the recently concluded National Council on Teacher Retirement (NCTR) conference in Arizona, one of the panel discussions was exactly to discuss the current and future state of Cybersecurity and Ransomware in the pension industry. Diann Clift from Sagitec and an expert in the public pension industry moderated the session with three other veterans of the industry. The discussion led to insights from the experts on the current state of affairs and ideas to protect data from hacking and ransomware.
Here are some salient points discussed by the panel.
- Ransomware has increased dramatically in the last few years and no industry is spared by ransomware attacks.
- Prevention today is more than just training users to not click on unknown/unexpected links. It is being prepared behind the scenes as well and making sure client databases are not affected. This requires the technical team to be adept at the latest trends in prevention and keeping all software updates current to reduce risks.
- Backups should be stored away from – on another server and secured separately from the production databases so the malware cannot infect both the production and backup databases.
- A client's response to an attack should be part of their incident response plan and the response should be practiced regularly to ensure the plan will work. This includes information like who will be informed (board, active members, retirees), if they will be informed, and when.
We are glad to consult and talk to agencies who might be interested in knowing more about trends and best practices in cybersecurity today. Please do reach out in the comments section below and we will get back to you with answers.