Cybersecurity: Strengthening the First Line of Defense

Mike TropeanoFIS Wealth and Retirement, CFA

1 CYBERSECURITY

The amount of non-public information (NPI) captured and held by retirement plan providers makes them a prime target for cyberattacks and fraudsters. Illegally obtaining data such as Social Security numbers, dates of birth, account numbers, financial data and all known addresses provides a direct pathway to identity theft and fraud. On average, companies are nearly three months behind in detecting cyber intrusions.1 Having a comprehensive cybersecurity strategy in place is crucial in protecting NPI and participants from identity theft and fraud.

It seems daily, high-profile data breaches in the news have become the norm, with companies like Target, Equifax, Yahoo and eBay targeted, it’s clear no one is exempt from being attacked. In 2017, the number of individual U.S. data breaches were at an all-time high-up 44 percent from 2016, according to the Identity Theft Resource Center.2 In addition, the Center found that exposure of credit card numbers was up 88 percent and the number of Social Security numbers exposed was up eight times in 2017 over the previous year. It’s predicted that by 2021 over $6 trillion will be spent on damages due to cybercrime alone.3

More devices, more problemsNo firm is exempt from the threat, which is broadening as retirement plan providers expand into new digital delivery channels to engage with plan participants. It is estimated that more than 20 billion internet-connected devices will be in use by 2020. In 2017, 70 percent of companies experienced losses due to cybercrimes, compared to 64 percent in 2016. This makes the steps to mitigate risk even more critical.1

In the event of a data breach, retirement plan providers face reputational, financial and legal/regulatory risks, and more significantly, the loss of client trust, which in some cases, cannot be overcome. Cybersecurity is everyone’s issue, not just your information security officer – employees are the first line of defense. How well you plan, prepare and educate your team will drive how successful you are in addressing the threat.

Companies Are Nearly Three Months Behind in Detecting Intrusions*Average time until detection (in days)

Companies That Experienced Losses Due to Cybercrimes*

2017 2016

70% 64%

2015 2016 2017

57.6 80.6 92.2

1. 2017 U.S. State of Cybercrime, www.CSOonline.com, July 28,2017

2. https://www.idtheftcenter.org/Press-Releases/data-breaches-up-nearly-45-percent-according-to-annual-review-by-identity-theft-resource-center-and-cyberscout

3. Capgemini Top 10 Trends in Wealth Management 2018

4. Beazley Breach Insights July 2017

* Sources: Celent, CSO, Gartner, Herjavic Group, Pew Research Center

CYBERSECURITY 2

1. 2017 U.S. State of Cybercrime, www.CSOonline.com, July 28,2017

2. https://www.idtheftcenter.org/Press-Releases/data-breaches-up-nearly-45-percent-according-to-annual-review-by-identity-theft-resource-center-and-cyberscout

3. Capgemini Top 10 Trends in Wealth Management 2018

4. Beazley Breach Insights July 2017

* Sources: Celent, CSO, Gartner, Herjavic Group, Pew Research Center

Control the controllableWhat is the common denominator in many of the preventable cyberattacks? Social engineering, or the manipulation of users and employees. And yet, 48 percent of companies have no formal procedures for responding to threats.1

While it’s critical to ensure that all applications are developed using the most advanced security protocols and systems are continuously monitored for attacks and vulnerabilities, the impact of human errors can be significant and many times overlooked, contributing to a large amount of the breaches out there. Accidental breaches by employee error or data breached when controlled by a third party account for 30 percent of all breaches.4 Tightening up the human element can be an impactful step to improving cybersecurity and can be reinforced by creating a culture of security awareness.

Every endpoint is an entry point, there is no such thing as too much security. Retirement plan providers can begin by educating employees on how to prevent breaches through training and testing; and longer-term, they can teach them ways in which a breach can be detected and the steps needed to protect the organization when a threat is discovered. Making sure the strategy is aligned with industry best practices is key to developing a training and testing program that helps employees identify vulnerabilities. Cyberattacks through phishing and malware are common and can be prevented with an effective program.

How software upgrades can help reduce riskNearly 1 in 5 businesses saw critical system interruption due to security events in 2017, resulting in internal systems slowing, customer support being knocked offline, non-functioning products and websites going down.1 Making sure your software is current is an extension of your first line of defense in protecting against cyberattacks and fraud.

While applying software upgrades can be a major project consuming a significant amount of operational resources for planning, testing and creation of new operating procedures, they can be a transformative tool in improving your cybersecurity profile. These efforts tend to be treated as an operational necessity, taking away resources from other projects. However, the importance of protecting your data cannot be overlooked. Many retirement plan providers have even turned to an ASP provider, like FIS, for their software hosting needs to ensure the latest security features and patches are automatically deployed across their software to address new and emerging threats.

Several reports indicate that the Equifax breach may have been prevented by applying a known security patch. Making software upgrades a part of your cybersecurity strategy can help prevent those missteps and can also be an opportunity to enhance, train or re-emphasize the human protocols related to supporting your overall culture of security awareness. New protocols and upgrades are being put in place constantly – from encryption to data masking – to address the latest threats, and ensuring your software is current only helps fight against future attacks.

The Common Denominator in Cyberattacks Is Social Engineering, or the Manipulation of Users and Employees*

48%of companies have

no formal procedures for responding to

threats

and yet . . .

Nearlybusinesses saw critical system interruption due to security events in 2017.*

ConclusionCyberattacks are on the rise and no one is immune. Retirement plan providers need to be ready and diligent in identifying vulnerabilities within their organizations to help protect plan participants. Developing a security culture where information security teams, employees and software are working together to diligently identify and protect against cyberattacks and fraud are key to keeping threats at bay. Improving cultural awareness and training is the first step in reducing the overall impact to your business and your plan participants. It is also important to understand what your partners, like FIS, are doing to address the threat. Some of your most sensitive data is on vendor systems and in many cases held within their data centers. It is imperative that you understand their strategy as it will be a defining feature of your own. You can easily learn a lot by asking simple questions such as: What is their approach to threat identification? How do they validate products before they go to market? What is their upgrade process? While this won’t replace penetration tests, due diligence visits and detailed questionnaires, it will give you a good read on their culture of security awareness.

About FIS Wealth and Retirement Administration

FIS provides wealth management and retirement technology and services that help banks, trust companies, brokerage firms, retirement plan administrators and advisors accelerate asset growth and optimize operations to achieve better outcomes for the end investor. We provide solutions for client acquisition and communication, transaction management, risk and compliance, portfolio accounting, plan administration and reporting that can be deployed as stand-alone products, part of a unified platform, or outsourced services.

About FIS

FIS is a global leader in financial services technology, with a focus on retail and institutional banking, payments, asset and wealth management, risk and compliance, consulting and outsourcing solutions. Through the depth and breadth of our solutions portfolio, global capabilities and domain expertise, FIS serves more than 20,000 clients in over 130 countries. Headquartered in Jacksonville, Florida, FIS employs more than 55,000 people worldwide and holds leadership positions in payment processing, financial software and banking solutions. Providing software, services and outsourcing of the technology that empowers the financial world, FIS is a Fortune 500 company and is a member of Standard & Poor’s 500® Index. For more information about FIS, visit www.fisglobal.com.

www.fisglobal.com twitter.com/fisglobal

getinfo@fisglobal.com linkedin.com/company/fisglobal

©2018 FISFIS and the FIS logo are trademarks or registered trademarks of FIS or its subsidiaries in the U.S. and/or other countries. Other parties’ marks are the property of their respective owners.

525672