PLANADVISER - Winter 2023 - 27

Grimes proposed that firms have a
plan in place in case a cybersecurity
incident were to hit. He recommended
to the virtual audience that they know
whom to reach out to.
" You don't want to make those sorts
of decisions in the midst of the crisis, "
he said. " It's nice to have a thoughtful
plan, ahead of time. If the worst
happens, you can approach it in the
best way. "
Grimes said institutional investors,
plan sponsors and advisers should, as
preventative measures:
* Be cautious of social engineering
such as fake emails and websites;
* Mend unpatched software;
* Regularly update software,
firmware
and routers; and
* Use multifactor authentication
and different passwords for every site.
" Those four things, " he said. " If you
can do them, it will probably mean
that you're very unlikely to get compromised. "
-Natalie Lin
Vetting Providers'
Cybersecurity Processes
How can asset owners, sponsors and
plan advisers
scope out
the bona
fides among cybersecurity vendors,
whose expertise is key to protecting
networks and other digital assets
from breaches?
Cybersecurity
A panel at the " Vetting Providers'
Processes "
session
offered safety tips for protection from
the legions of hackers. It was moderated
by Glenn Davis, deputy director of
the Council of Institutional Investors.
One vital tool, according to the
panelists, is audits of third-party
providers done under the auspices of
the Service Organization Control Type
2-aka SOC 2-compliance framework.
The framework was established by the
American Institute of Certified Public
Accountants and is designed to ensure
the security of client data that thirdparty
administrators handle. It does
this by specifying how organizations
should manage customer data.
Further, speakers said, the SOC 2
Type 2 report outlines a company's
internal controls and details how well it
safeguards customer data, specifically
for cloud service providers. A thirdparty
audit can reveal whether security
protocols are safe and effective.
" This
drives
confidence
and
removes speculation " in the screening
procedures of providers, advised Jon
Atchison, senior lead of governance,
risk and compliance at investment
adviser firm CAPTRUST.
To cite an example of what can go
wrong, Atchison, a speaker on the
livestream, pointed to a recent, large
cybersecurity failure: the breach of
MOVEit
file transfer software, which
exposed sensitive personal data from
governments and businesses internationally
and potentially involved
millions of people. " MOVEit wasn't the
first and won't be the last, " he said.
SPEAKERS
Nick Brezinski,
director of information
security and network,
CAPTRUST
Larry Clinton,
president and CEO,
internet security,
Alliance
Roger A. Grimes,
data-driven defense
evangelist, KnowBe4
" It's always
good for any
organization
to think about
what the rules
are that apply
to you ... "
One task for providers is to guard
against threats from employees and
other insiders, said panelist Allison
Itami, a principal in Groom Law Group,
whose Employee Retirement
Income
Security Act practice focuses on data
privacy and data security. These
in-house folks can pose a risk of theft
or fraud, Itami said. " As long as humans
are involved, " cyber vulnerabilities will
be around, and a lot is at stake, she said.
" If you lose money or have a data breach,
trust is eroded. "
What is vexing is that no absolute
shield exists to foil cyber mischief. " No
one can be 100% safe, " said panelist
Mario Paez, national cyber risk leader at
Marsh McLennan Agency, which sells
insurance to organizations to protect
against breach liabilities.
Some think that other business
insurance, not tailored to digital crime,
will be sufficient-and they are wrong,
Paez said. Certainly, specialized cybersecurity
policies are complex, " and the
devil is in the details, " he stressed. For
that reason, he continued, it pays to get
a cybersecurity-savvy insurance broker
to advise on what is best for a company's
particular needs.
Insurance, he said, must cover
a range of necessities that can be
created by a breach, including: extortion
coverage in case of a ransomware
attack; business losses; the
costs of notification to people affected
by a breach; and forensic probes of
how and why an incident occurred.
-Larry Light
Percy Lee,
associate, Ivins,
Phillips & Barker
Thank you, Marsh McLennan Agency, for supporting the event.
Plan Management | Winter 2023 | planadviser.com 27
http://www.planadviser.com
PLANADVISER - Winter 2023

Table of Contents for the Digital Edition of PLANADVISER - Winter 2023
