Are retirement plan providers ready for the next 9/11?

In observance of the 20^th anniversary of the Sept. 11 attacks, the InvestmentNews team has written a series of reports looking at how the financial industry has changed in its aftermath and been preparing for the next 9/11 event. Though the specter of something worse continues to be a frightening possibility, rather than pushing 9/11 out of mind or writing it off as an aberration, InvestmentNews contemplates the impact and potential consequences of being unprepared for the next attack from several industry perspectives.

In the third installment of the series, Emile Hallez looks at how providers of retirement plans are readying for a cyberattack in an era when members have unprecedented access to information and accounts.

Retirement plans were hardly the first thing on anyone’s mind in the wake of the September 11 attacks, but the events did raise an important issue for 401(k) record keepers.

“In the immediate aftermath of 9/11, a lot of companies realized that they always planned for their building to go out -- not for the entire city, or the entire industry, to go out at any time. I think they started to plan for that a little differently,” said Tim Rouse, executive director of the Spark Institute. Contingency plans were updated for more “dispersion of systems,” either through the cloud or numerous data centers, he said. 

And while companies had contingency plans for trading and account maintenance leading up to the attacks, “very few could anticipate was that all companies across the country would go into crisis mode at the same time,” Rouse wrote in an email. “There is always a point at which you need to improvise.”

At the time, 401(k) account owners did not inundate providers of retirement plans with calls. Today, an event on that scale that would affect markets would likely lead to more calls and account activity. 

“Most people were in shock,” Rouse said. “By the time things began to settle and participants were calm enough to think about their 401(k)s the market was already showing signs of coming back.” 

Physical attacks are always a potential threat that companies must plan for, but cyberattacks have become a more regular concern, he noted. 

“If you heard today that there was a ransomware attack on a financial company and it was locking up 401(k) accounts, what’s the first thing you’re going to do? You’re going call your 401(k) company.” 

Recently, regulators have been paying much attention to that subject. The Department of Labor, for example, issued cybersecurity tips for plan service providers, sponsors and participants. The DOL is also currently collecting data and auditing plans on their cybersecurity. 

And the issue has prompted cooperation within the retirement plan industry. Spark has a data security oversight board and made a partnership in 2018 with the Financial Services Information Sharing and Analysis Center, establishing the Retirement Industry Council. 

“The industry has been working closely with law enforcement and with each other,” Rouse said. “When it comes to cybersecurity, our industry has banded together to help one another and better protect the overall market.” 

Tomorrow, Bruce Kelly tracks the geographic shift of advisers out of Manhattan in the 20 years since the attacks.

More articles in this series:

How the advisory industry has been preparing for the next 9/11 event by Mark Schoeff Jr.

Prepping fintech platforms for the next cyberattack by Nicole Casperson

Why Wall Street just isn't Wall Street anymore by Bruce Kelly