The Biggest Threat to Life and Annuity Issuers Is Not the DOL Fiduciary Rule

Commentary April 30, 2024 at 11:40 AM
Share & Print

A cyber lock
This is the latest in a series of columns about annuities and retirement planning.

Recent ransomware attacks show that passwords and Social Security numbers have stopped working as secure methods of authentication. Life, health and annuity issuers are, obviously, deeply concerned but seem to lack the right, extreme level of panic.

While the widely discussed Labor Department fiduciary definition could affect how life insurers agents and advisors get paid, how much they get paid and how easily they can work with low-asset clients, the identity verification problem could affect any effort by life insurers or intermediaries to do business with clients — at all.

How can insurers or intermediaries do business with consumers, especially online, if current and prospective customers have no good way to prove that they are who they say they are?

This should be the year when U.S. life and annuity issuers sponsor the biggest booth at every identity verification technology conference, pay for the best banquet and send so many attendees that conferencegoers have to bribe the pass checkers to get into the breakout sessions.

The list of upcoming U.S. identity technology conferences includes The Identity EngineIdentity Week America,Authenticate 2024, the Internet Identity Workshop and the Gartner Identity & Access Management Summit.

At The Identity Engine, for example, the companies sending attendees to the conference will include Aflac, Equitable, MetLife, Nationwide, Sammons, Securian, The Standard, TIAA, Unum, USAA and Venable, along with industry tech services providers, such as Datos and LexisNexis Risk Solutions.

It's great that those companies are sending attendees to the event. But, as far as I can tell, those companies aren't event sponsors. They don't seem to be sponsoring the breakout sessions. They don't seem to be sponsoring the meals.

This list raises questions such as:

Why isn't every life and annuity issuer on the conference attendee list?

Why aren't any life and annuity issuers in the Strategic Partner sponsor category?

Why aren't life and annuity issuers at the top of a list of organizations begging every scientist, mathematician and science fiction writer on Earth to brainstorm ideas for new tools we can use to show who we are?

Why is it possible for a computer scientist to go into a building at Cal Tech, MIT, Stanford or the international equivalents without hordes of financial services industry representatives throwing flowers at them and pleading with them to think of something?

At this point, the identity theft crisis appears to be turning into a life-or-death issue for the financial services sector. If the customers lose their ability to show who they are, how can financial services companies insure them or manage their assets?

The Cl0P hacker gang attack on the MOVEit file transfer system, which hit in May 2023 and may have affected more than 85 million people around the world, once seemed like a big life and annuity sector identity theft incident, because it hit a company that helped insurers and retirement benefits administrators determine whether people were alive. The information stolen included many people's Social Security numbers.

Then, the Russia-based hacking gang known both as ALPHV and as BlackCat hit UnitedHealth Group's Change Healthcare medical billing business.

How bad has the Change attack been?

The American Medical Association has estimated that, as of the week ending April 3, about 36% of U.S. physician practices may be having trouble with getting paid.

House Financial Services Committee subcommittee held a hearing on ransomware around the same time UnitedHealth was posting its first-quarter earnings.

UnitedHealth announced the following April 22, in a press release that the company filed as a notice with the U.S. Securities and Exchange Commission: "Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America."

At the House Financial Services subcommittee on ransomware, Kemba Eneas Walden, president of the Paladin Global Institute, noted that ransomware gangs now gather extensive intelligence before breaking into the organizations' systems and negotiating for ransom.

Walden provided a sample ransomware gang negotiator message.

"The negotiation process and back-and-forth communications are often surreal," Walden said, according to the written version of her testimony.

She showed how one gang that hacked a public school district explained that it had examined the district's bank and insurance records and came to the conclusion that it was exaggerating accounts about its poor financial condition.

"We also calculated your possible losses from lawsuits from both your staff and your students for the leakage of their personal data," the ransomware negotiator told the district. "These fines will exceed $30 million. We are not talking about the loss of reputation, which in our opinion costs more."

In another case, Walden said, ALPH reportedly filed a complaint about a victim company with the SEC because the victim company had failed to comply with SEC cyber incident reporting guidelines.

The bottom line is that it's becoming increasingly difficult for companies both to protect data and to verify who we are. The same safeguards financial services companies adopt to protect our assets may very well keep us from getting into the mobile phones, computers and online systems we need to track, manage and use our retirement savings.

And then, if and when quantum computing becomes common and speeds up the process of cracking passwords, that could open the curtains on all of our financial accounts for all of the unscrupulous players in the world to see.

The U.S. Department of Labor is obsessing about the savings we may lose due to getting conflicted, mediocre but generally law-abiding retirement investment advice and ignoring the grave possibility that many of us could get locked out of our retirement accounts completely because we forget our passwords, lose our computers, lose our phones and have no practical way to show financial services companies that we're us.

Life and annuity issuers, asset managers, retirement plan managers, other financial services companies and regulators need to recognize this for the truly existential crisis that it is, with their Platinum Tier conference sponsorship money and their venture capital funds as well as their white papers, and help create the new, better data security and identity verification strategies of the future.

Credit: Adobe Stock

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center