Wilshire Advisors has said it was the target of a ransomware attack that took place March 4.
“Once we learned of the incident, we activated our Information Security Emergency Process and disconnected parts of our network to attempt to contain the attack,” a company spokesperson said in a statement. “We also deployed internal and external incident response teams and notified law enforcement.”
The spokesperson also said that the company is working to restore systems and will be providing updates to clients as appropriate.
Tim Rouse, executive director of the SPARK Institute, a nonprofit retirement industry trade association, says the attack is a reminder that fiduciaries need to make sure the service providers they use to maintain plan records and participant data follow strong cybersecurity practices.
“Clients want to know that the financial services firms that they’re working with have put in place proper security,” Rouse says.
Rouse’s organization recommends that its members follow 16 data security control objectives to determine a service provider’s overall data security capabilities, including risk assessment and treatment, security policy, physical and environmental security, and incident and event communications management. The objectives are described in detail in the SPARK Institute’s best practices guidance.
“These are the 16 critical areas that the plan sponsor wants to know to find out if they’ve done their due diligence,” Rouse says. “For each of those 16 categories, look at what controls are in place to test that category, how are those controls tested, and what the test results are.”
According to the Department of Labor’s Employee Benefits Security Administration’s tips for hiring firms with strong cybersecurity practices, it’s important to ask about a service provider’s information security standards, practices and policies, and audit results, and then compare them to the industry standards adopted by other financial institutions. The EBSA also suggests looking for service providers that follow a recognized standard for information security and ones that use a third-party auditor to review and validate cybersecurity.
Other EBSA tips include:
- Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standards.
- Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to the firm’s services.
- Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
- Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches.
- Make sure that any contract signed with a service provider requires ongoing compliance with cybersecurity and information security standards—and beware of contract provisions that limit the service provider’s responsibility for IT security breaches.