The 401(k) Audit CPA Success Show: Episode 18
As technology continues to evolve, businesses should make cyber security a priority. Our tools and processes become smarter as technology improves but so does the attempts of hackers. This poses a big threat to the sensitive information that businesses currently have in their possession. Today, Jamie Nau sits down with Kim Moore for a deep dive about cyber security, and the ways in which 401(k) plan administrators can protect their clients from cyber threats.
Jamie Nau: Hello, everybody. Welcome to today's podcast. Kim has come up with a really good topic for us. So as with any accounting firm, this is a topic that you should think about all the time. Today we're going to talk about cyber security. I'm excited to dig in. So welcome to the show Kim.
Kim Moore: Thanks Jamie. Glad to be here. Yeah, I think this is a topic that we have all heard about in the news, just kind of in general. It’s a hot topic, cyber security. I think a timely topic. The other reason I wanted to bring this up, we've had several conferences that the team has been attending. We go to conferences that are specifically about benefit plans, and they're sponsored by the AICPA, as well as other state societies that oversee accountants. Cyber security is the first thing on their list to talk about. So that's one reason why we want to be concerned about it. Another reason, because I know people are kind of like, oh, cybersecurity. They kind of just blow it off and think why do I really need to worry about this? We want to point out that if you are a plan sponsor, so if you're a company sponsoring a 401(k) plan or you're one of the main individuals that work with the plan at your companies, you’re a plan administrator, a plan trustee, if you're in H.R. or the benefits area, this would all apply to you. You are a named fiduciary to the plan, so you are responsible for everything that happens to that plan if something were to happen. And there have been lawsuits around this area. We expect there to be more. Obviously, it is your responsibility to ensure security around the assets held by the plan, even though you don't hold them. I mean, the company is not physically holding them. They have a provider that's doing that. You're still responsible. So it's another reason why we wanted to bring it up.
Jamie Nau: Yeah I think the other reason too, some of these plans have quite a bit of money in them. Any time there's money, large amounts of it, the cyber security crooks follow.
Kim Moore: Absolutely. I know the DOL has talked a lot about that. Also with the pandemic folks have lost their jobs or maybe, you know, just all kinds of situations where they may need some extra cash. You know, obviously, these plans have a lot of money in them. They know there are vulnerabilities associated with them. Going to talk a little bit more about that here in a minute. So that's where they're going to go. we expect there probably to be more activity. From what I've seen from a legal standpoint, of course you don't know if it's handled internally, but from what you can see from the outside, they've been more one off type of events. You know, we haven't really seen where a big provider, like a Fidelities had a big hack. You know, that's not to say couldn't happen tomorrow. I mean, there's events happening all the time. But from what we've seen, they have been more at an individual level. So that is interesting and makes the risk different. That's not something, when people think of cybersecurity, they think of, you know, these big companies and they read about in the news where, you know, an outsider sometimes from a foreign country gets in and attacks their website or their I.T. systems and they're able to get in. And that's what they think of with cybersecurity. And that is certainly a big part of it. But that's not the only risk here. So we're going to be talking a little bit more about that. But, yeah, it's definitely a big issue. Big dollars. There have been instances of it, there have been court cases, so definitely an area for everybody to be concerned about.
Jamie Nau: Yeah, I think it's something that if you're not thinking about it, then you're not doing your due diligence as the plan fiduciary. So I think you have to make sure you think about it and address it. So let's dive right into. What should we be doing? What should we be thinking about?
Kim Moore: Yeah, I have broken this out into a couple of different paths to take. I mean, the first thing we talked about this a little already, the assets are actually held by someone else in almost all cases. So you have a trust company or some type of service provider that's actually holding the assets and the criminals or the fraudsters out there obviously, they want to get a hold of the cash. They want to convert those assets into cash and get them into their hands instead of with your provider that's holding the assets. So that's where I would start first of. You should know who actually physically holds the assets. I talk to a lot of our clients and potential clients and asked them who are they utilizing as a service provider? And they will oftentimes tell me record keeper or the people that they're working with on a day to day basis for the participant level transactions or they have a question or participant has a question. That's who they work with. But most of the time, those folks do not hold the assets, it’s usually some type of custodial arrangement. Now it may be through the same company. So example, Fidelity has a trust company that they use. It may still be fidelity, but it's not the same people you're dealing with on a day to day basis. So the first thing to do is figure out who's actually holding the assets. Once you figure that out, I would just start asking a few questions. So ask them, have they had any breaches? Maybe they had some before you were a were using them as a service provider. Or maybe they did and they didn't tell you. So I think it's a good question to ask. If they have, you'd obviously want to find out more information about that. If they say no, never had that problem, then a another set of questions to ask is have you thought about that? If you did, what would you do? How would I be notified? So you kind of go down that path of just trying to figure out, has this happened? If not, you know, how would it be handled and how would you be notified around that.
Jamie Nau: Is that a question they are required to answer?
Kim Moore: I suppose anybody cannot answer a question and again we're going to talk a little bit later about what to do if you really are uncomfortable with the situation. I think, you know, you're going to have to judge it on the facts and circumstances basis. So and make sure that you're asking the question to the right person again, if it's your person that's just a rep on the plan and they're handling day to day transaction they may not know because that's probably a whole different area of the company. So don't just say, oh, well, they didn't know I'm going to switch companies here, so make sure you get the right person. But if you kind of ask around and they, you know, they won't answer the question, they're hedging, I don't know. That would make me think they don't have a plan and that would make me uncomfortable. Now if you're trying to say, well, what are all your specific controls in your I.T. department to prevent an outsider getting in? Those could be confidential. I could see someone not wanting to divulge that. That would make sense. But just asking, have you had a breach or not? And if you did have one, what would be your process? What would you do? I don't think that's in any way confidential. They certainly have a plan and they should be able to communicate it to you. And I wouldn't be surprised if they don't already have a brochure and they can just say, here you go here’s the brochure that answers your questions. You know, I would think the big providers would certainly have that. So I would hope they would answer your question. If not, I think that, you know, calls for a little further evaluation. If they can’t answer or refuse to answer. The next thing that we kind of get into is when you're talking about if they had a breach or have made plans around the breach, there are levels of insurance that you can get. So, you know that would be something they maybe would divulge or not, I'm not sure. But you could ask them if there was a breach and it was not through any fault of your plan. So your plan didn't do anything. You just had assets with them and someone broke into their system from an external source. You know, what would they be prepared to reimburse the plan for losses. A lot of times that's going to get into an insurance situation, so that would be another thing that you could ask them. Do they cover that or is there an expectation that you're covering that? Because obviously, if you're supposed to be covering it, you would need to know that. You would have to handle that. So that's kind of the first avenue I would go down. The second avenue, this gets a little bit more detailed, I think you have to have a little bit of I.T. knowledge to kind of get into some of these things. So if you don't have that kind of background, then I would suggest that you maybe talk to someone in your I.T. department. Do a little bit research before you kind of go down this path. Get a little bit of background knowledge if this is an area that you're not real familiar with, and we're going to talk about looking at the controls over the data. Which data would be personal information about your participants. You want to make sure that you're looking at kind of all the avenues. You really have to almost step back and say, if I wanted to commit fraud, how would I do it? What kind of information would I need? How would I go about this? And then as you think through, you know, three or four scenarios, you'll come up with more information that you might need to be asking or you might need to know in additional areas that you can look at. So we always suggest look internally because you have information internally, primarily in your H.R. payroll areas that a fraudster could exploit. So that's one place you got to look. Secondly, your service providers, as we mentioned, your record keeper has information, similar information. Actually, the asset holder has information about the assets. And then you also have to worry about your payroll provider because the payroll system has, of course, information about your employees, Social Security numbers, addresses, pay, you know, are they in the plan or not? All that's in your payroll system as well. So you kind of have to split out all of those four things and then go down this avenue and say, you know what? What kinds of avenues could a fraudster use to get access to the information? What would they do with it? And is there any way I would know if someone did get access to it that shouldn't have. So that's kind of what we're going to be talking about here.
Jamie Nau: Make sure you use your resources. You know, depending on the size company you are, you know, you probably have some sort of I.T. department or some people that are somewhat familiar with it. So, you know, again, you're not in this in this alone. You can bring them into it and have them take a look at it, because obviously they're building controls around your company and they understand the controls a little better than you do. So don't be afraid to use the people within your company or even people that you know your company consults with.
Jamie Nau: Absolutely. There are firms that will come in and do some of these I.T. reviews. Now, they're not specifically targeting 401(k) plans they are for more general company type reviews. But you could certainly ask them to look at this as well. As you mentioned, your I.T. personnel would be a good resource. Also, don't be afraid if you have an internal audit function, they should have knowledge around this area or if you have an external auditor, not necessarily for your 401(k) plan, maybe just an external auditor that auditors audit your company financial information. They have to look at I.T. controls as well. So they should have someone that could help you with this. Obviously, you might have to pay a little bit more for that kind of consulting, but they should certainly have folks to help you with this. So very good point. So let's start with a service provider, because this might be the easier way to focus. Service providers would, of course, include those record keepers, your custodian and your payroll service provider. All those entities, if they're large enough, should have something called a SOC report. We've talked about this on previous podcasts. That's a report that they've hired an external accountant to come in and document their controls and then test those controls. And they, in almost all cases will be testing I.T. controls. So we're going to talk a little bit about the I.T. controls you should be concerned with here next. But good avenue is to get a hold of those SOC reports. Those are easily available. Just ask your whoever your rep is, they should be able to get that to you and then it will actually detail what the controls are. It'll show you that the accountant tested those controls. If there were any problems noted, they'll detail those as well. So that's another thing that can give you comfort that there are controls that my service provider, you know, they have been tested. They were found to be okay or not, and if not, then they'll usually give you additional information about how that they're going to fix whatever the problems were that were noted. So that's a good resource without you having to try to call up a Fidelity and say, hey, I want to know about your I.T. controls. And, you know, you're not an expert in that. This is a way to get at that without having to, you know, dig into it and doing it yourself. So that's probably the best place for those service providers. You know, you can go down the avenue trying to do it yourself. But I would recommend the service providers. Again if you use an auditor, you can ask them if they've reviewed this report, they usually are pretty good at reviewing them. They can point out any issues they noted. So that would be another avenue. So you don't have to take time to do it. Just ask them.
Jamie Nau: It’s been a while since I've looked at all of these reports. I remember looking at them back when I was doing audits. They actually are pretty easy to read. They call out the errors. So I don't think they're overly complicated.
Kim Moore: They're you know, they're real easy when you're looking at the test. If you don't want to dig into all the details of the tests, it's basically almost going to be a yes or no. Did a pass fail? And if it's a no, then they'll be more description. But the yes, it could be a pretty quick review. So let's talk internally now. There's a couple of things internally that we suggest people focus on. One is, is more I.T. related as it relates to single sign on. So if your company uses single sign on type password and access security. So I come in to work in the morning and I sign in once and then internally with the system that kind of directs me to sign me into other systems. You've got to worry then about the security around that single sign on again, if you use that or if you're not sure I’d talk to your I.T. group there at your company. That's an easy question for them. They can tell you yes or no. If it's no, this is a non-issue. If it's yes. What are their controls around that? How do they make sure that gets updated? Things like that, so that's one place I would definitely look at. Another thing I would worry about is, you know, we all talk about everything's paperless, we don't use paper anymore, but in reality, we all still use paper. And so your H.R. department, your payroll department, those are the two main places. Anything where you've got employee information, maybe that's in finance to in some cases or in a tax or a compliance area, if you have such a function in your company, any of those places where you're going to have company employee type information, you want to make sure that those areas are physically secured. You know, you don't want to leave somebody’s I9 and you leave it on your desk where you go to lunch. It sounds silly, but that's one of the best ways for a fraudster, and you've got to consider fraudsters could be inside your company as well. So you got to be careful. Don't leave any of that stuff out where people can see it. Don't leave blank forms out either, because if you're using paper forms for people’s dispersant out of their account, they can grab up a few of those, put in their information and send them in and see if they can get them to get it processed. So just be careful.
Jamie Nau: I know in some HR offices, at least in the companies I've worked at, there is pretty heavy traffic. So leaving that stuff out on a desk unattended, there's going to be a lot of people walking through that might see something unintentionally that they should not being seeing.
Kim Moore: Yeah very good point, because it could be, you know, a potential candidate you're interviewing. It could be people that you're terminating service. And so all kinds of things can happen with that. So definitely check that. So from there then I wanted to get into what exactly do I need to check? So I'm not going to make this an I.T. course here, but just try to run through some tips fairly quickly. First thing is passwords. Passwords is one of the best controls you have to get into any system or keep people out of the system. So obviously you want to make sure that you do have password controls. So that's the length of the password. The password shouldn't be one, two, three, four. It should require you to have a certain complexity. They should have to be changed periodically. You should look for those in that SOC report we talked about, you should also look internally because people are going to potentially access, their 40q(k) plan while they're at work. You also will have H.R. and payroll personnel that will be accessing the plan from a plan level perspective, they're probably have what we call administrator level access, which is a higher level access. They can usually do more things. They have access to information that an individual participant would not have. So you want to make sure that the passwords for those folks are really strong or changed regularly, make sure that the people that actually have that access need to have it. Make sure you review that regularly. If someone moves around and they're not in that role anymore, that access should go away immediately. You do not want to leave change to when you get around to it. Even though the person is still here. That's the prime way for there to be a problem.
Jamie Nau: I would imagine nowadays most of these companies do give you those options. Most providers will give you the option that is pretty complex for password requirements. But sometimes you do have to elect them, I imagine as well.
Kim Moore: That's right, and some of this is going to be internal as well as external. So you kind of got to look at all the different ways that you might be accessing the plan. But, yeah, you're right, a lot of the big providers have that built in. So that may be easy. Another thing, I call this know your customer controls, but one of the things that you'll want to ask your service provider is how do they accept a transaction information from their customer, which would be your employee, your participant. So if I'm in your plan and I want to take a loan out, how do I do that? And a lot of cases, it isn't a paper form anymore. They may be allowed to go online with my password and that to request it. But I also may be able to call. So I get on the phone. I call the provider. Hey, I'm Susie Jones. I'm with you Plan ABC. I want to take out a loan. What do I need to do? And you can process it right over the phone. That's been around for a long time. So one of the big controls there is how do they make sure it's Susie Jones? I mean, I could be calling and saying, I'm Susie. And that's where that information that H.R. and payroll have in securing that is so important, because if I can get some information on Susie, I can call up and pretend to be Susie. A lot of times the lawsuits I've been seeing have been in this space. So those controls weren't that good. The provider is making some assumptions that sounds like Susie. She's got some information I would think she probably would, you know, need to know to be able to call in. They go ahead and process that come to find out, Susie then, three months later goes and looks at parts of her statement and wonders why is there a two hundred thousand dollar dispersant here? Of course, money long gone. They have no idea who actually got the money. So this is an actual real world lost situation. So, you know, the big providers are trying to be really careful in this area, but that all comes down to the person answering the phone. So, again, I would be really careful in that area. I would talk to them about it, you know, try to find out, you know, what are the controls in that area. Look at the SOC report. The SOC report should talk about this. But another control that you can have in this space is, again, the fraudsters want the money out of the plan. They don't care about the money going in. They don't care about the investments. Are they making money or not? They only care about getting money out. There's really only two big ways to do that a dispersant or a loan. So if you're reviewing those transactions and you see, you know, Susie still works here, Susie just put a request in for two hundred thousand dispersant, what's going on? You know, call Susie. Walk down the hall and say, hey, did you actually do this? You can stop it before it happens. So that's why we recommend you review all of those transactions. You know, you don't have to be investigating every single one, but if you see something that looks a little odd, you know that be a good time to go check it.
Jamie Nau: I think a lot of companies do the two-factor authorization. People can get your information, but they don't always have your email or your phone number. So I think that's another smart control that I've seen.
Kim Moore: Right, i's verifying you really are who you are. You know, people can get a hold of passwords and they're not as secure as they used to be. So another thing that we talked about already was the physical security. You want to look at physical security, as we mentioned, within your H.R. payroll department. But you also want to look at that in the SOC report. Make sure physical security at your provider is good, because just as you could leave information laying around your provider could do the same thing. You also need to be concerned about physical security around their data center. And that should all be documented in the SOC report. That gets a little technical. Same thing with the next thing on the lists which is backups. That can get a little bit technical. Doesn't sound like it, but it actually can get a little technical when you're actually reading the report. So just make sure that that's covered in the report. Make sure there were no issues there. If there were, you know, you want to follow up. Usually in those reports, the issues we tend to see are around access security. So they're not reviewing the folks with IDs routinely. And so a person will move from one job to another, a person leaves the company and they're not shutting the access off timely. That's the type of errors that we see the most often in the I.T. sections of those reports. So not to say you couldn't have in these other areas, but that's really what we see the most. So pay particular attention in those areas on the SOC reports. We mentioned the distributions in the loans. Take a look at those, review those on a regular basis. And we talked about the hard copy éminence being left out. So there's certainly a lot of other areas that you could think about. I encourage you to just sit down and take a half an hour, kind of do this risk assessment in your head. If I was going to conduct a fraud, how would I do it? Make some notes and then go, you know, trace that down through the controls and make sure that you feel comfortable with the controls and all of those locations we talked about.
Jamie Nau: I think it's also important to document that process. You know, I know we've talked about this in another podcast, but if I'm going to spend an hour once every six months doing that and reviewing the SOC report and asking questions and thinking through it and really evaluating the risk, it is important to document that you did that. It will help if you have auditors who come in looking for your controls.
Kim Moore: We would love if our clients did. But you're absolutely right. The other thing it helps you with, if something does happen, it will protect you in the event of a lawsuit, because what the people are alleging in the lawsuit is that there was no oversight. You know, no one at the company was looking. It was just a free for all and someone just took my money and just let it fly out the door. If you can sit there and say no, look what we did. It doesn't mean you're still not going to be liable for anything, but it will certainly help protect you from those kind of excessive penalties that you might be exposed to. So if you do all this and you're like oh, I found some things in that SOC report that makes me feel uncomfortable or I'm not so sure about our controls over this area. What should you do? Well, internally, obviously, you have the opportunity to fix that. We always you know, people are always like, well, now I got to go spend money because I got to, you know, I've got to change things or I've got to have somebody do an extra task that they weren't doing before. But consider, you know, yes, it's a small investment and nobody likes to make those. But is it worth the bigger investment you'll have to make if there's a loss? Because if there's a breach, it's going to be very expensive and you you'll be exposed to all kinds of scrutiny from all kinds of regulators and like I said, potentially a lawsuit. So a small investment now is definitely worth it. Definitely something that you would want to talk to probably your supervisor about is, you know, whether it's worth making that investment. And if you decide not to, again, document why, because that could come back to bite you. From the service provider side as we mentioned, there's the SOC report. You may want to talk to your rep if you're seeing things in that SOC report that make you uncomfortable. Again, that's not the rep that you deal with on a day to day basis that is processing the loans and that. But more like your sales rep, someone from a higher level standpoint, and just explain why you feel uncomfortable. They may be able to provide some additional information to help get you there. They may talk about some ongoing initiatives that can help, you know, that aren't quite there yet but will be soon and that may make you feel better in the long run. If you don't feel comfortable, you really should consider changing. I know that's painful. I know that's you know, none of us want to do that for a lot of reasons. In the long run, best interests of the plan, which is what you as a fiduciary are supposed to be watching out for, that may be the best long term solution. And so if that's the case, you know, you need to have that discussion. I would talk to your supervisor, you know, and obviously that's an ongoing discussion you'll have to have.
Jamie Nau: I think the overarching theme is to remember what you're doing here. You are dealing with people's investments that are funding their retirement. And so, you know, you want to make sure that you're thinking through these things. If you have that pit in your stomach that something isn't right to you, act on it because you are not just dealing with your company’s money you are dealing with people and their money. So I think that is really important. So Kim, any final thoughts for listeners to make sure they're considering when it comes to cybersecurity?
Kim Moore: Yeah, you know. It’s critical area you want to spend some time on. I know it's hard for people, it's not where most people's interests lie. Check out the Department of Labor and the AICPA, which that's the American Institute of CPAs websites for research. Both of those institutions have booklets, pamphlets, one pagers that can give you some additional information. So is this is an area that has piqued your interest and you're like, I'd kind of like to research that a little more. You know, there's more information out there. Obviously, you can Google cyber security too. So there's a lot of new information out there that can give you specific guidance. We're happy to help consult if you have any questions, just give us a call. We'd be happy to help you out and give you our thoughts on your specific situation.
Jamie Nau: Well Kim, I appreciate all the research you did and sharing it with us all. Until next time.
Want to listen to more Summit CPA podcasts?