TSP fails secuity audit

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
Post Reply
PoppyA
Posts: 416
Joined: Sat Oct 11, 2014 4:24 pm

TSP fails secuity audit

Post by PoppyA » Tue Feb 27, 2018 11:34 am

http://www.govexec.com/oversight/2018/0 ... c_today_nl

And they don’t insure for theft! Uggg! Is this a Reason to consider moving money out?
"La Bella Luna"

User avatar
Bammerman
Posts: 297
Joined: Fri Apr 06, 2007 4:58 pm

Re: TSP fails secuity audit

Post by Bammerman » Tue Feb 27, 2018 1:15 pm

Not very awe-inspiring, I'll grant. At least there are promises to improve: "...the agency is moving forward with plans to implement Williams Adley’s recommendations, and it will strengthen its contractor oversight policies. She provided a roadmap that projects the agency will reach a Level 3 score—“Consistently Implemented”—in fiscal 2019"....

As regards insurance, I believe that the federal government always "self-insures".

As for myself, I'm not going to make any changes to my TSP account based on this article.

User avatar
Watty
Posts: 13775
Joined: Wed Oct 10, 2007 3:55 pm

Re: TSP fails secuity audit

Post by Watty » Tue Feb 27, 2018 1:43 pm

PoppyA wrote:
Tue Feb 27, 2018 11:34 am
And they don’t insure for theft! Uggg! Is this a Reason to consider moving money out?
Be sure to also understand the inheritance rules for a TSP since they are in some situations a lot worse than for an IRA. There is a wiki on this.

https://www.bogleheads.org/wiki/TSP_estate_planning

There was a post a while back that where they had run into this situation;
1) Dad had a large TSP, he died and left it to his wife.
2) Wife was fine with that and left the money in the TSP, but she died a few years later and left it to their kid.
3) With the TSP rules the kid could not leave it in the TSP or roll it out to an inherited IRA.

The kid was forced to take a large taxable distribution of all the TSP funds in a very high tax bracket since they were working and already in a moderately high tax bracket.

If either the Mom or Dad had rolled it out to an IRA the kid could have an inherited IRA and while they would need to take RMDs they could have spread that out over decades. With federal and state taxes this cost the person nearly half the TSP in taxes.

Mako
Posts: 108
Joined: Wed Feb 28, 2007 9:34 am
Location: Havre de Grace, MD

Re: TSP fails secuity audit

Post by Mako » Tue Feb 27, 2018 1:56 pm

Watty wrote:
Tue Feb 27, 2018 1:43 pm
Be sure to also understand the inheritance rules for a TSP since they are in some situations a lot worse than for an IRA.
*snip*
Thanks for this. Seems crazy. If they dismantle the G fund as they'd like to (proposed, folks who haven't heard can google it, please no further discussion) I think most savvy people will have no use for the arcane and restrictive rules of the TSP. I will probably roll out when retired unless things are a lot better by then (admittedly that's still 20ish years off for me).

User avatar
whodidntante
Posts: 3899
Joined: Thu Jan 21, 2016 11:11 pm

Re: TSP fails secuity audit

Post by whodidntante » Tue Feb 27, 2018 1:58 pm

You don't need insurance when you are backed by the government.

rkhusky
Posts: 5387
Joined: Thu Aug 18, 2011 8:09 pm

Re: TSP fails secuity audit

Post by rkhusky » Tue Feb 27, 2018 2:13 pm

The difficulty for participants to get money out of the TSP probably also makes it difficult for thieves.

PoppyA
Posts: 416
Joined: Sat Oct 11, 2014 4:24 pm

Re: TSP fails secuity audit

Post by PoppyA » Tue Feb 27, 2018 3:44 pm

But it is my understanding the TSP is NOT backed by the government? Am I wrong?
"La Bella Luna"

Jeff Albertson
Posts: 530
Joined: Sat Apr 06, 2013 7:11 pm
Location: Springfield

Re: TSP fails secuity audit

Post by Jeff Albertson » Tue Feb 27, 2018 7:27 pm

This article is 10 years old, so policy may have changed since then.
https://www.marketwatch.com/story/feder ... line-theft
Federal savings plan: not responsible for some online theft

Hackers withdrew about $35,000 from 23 individual TSP accounts in late December (2006) after infiltrating the account holders' computers, according to the TSP. It said its own system, which holds $206 billion of retirement savings, hasn't been breached.

In a warning posted on its Web site, the TSP said federal employees and retirees who access their retirement savings account electronically "must be vigilant and protect their computers; the TSP cannot be responsible for their negligence."
...
One key difference: Investors victimized by electronic theft at online brokerage companies have been quietly repaid for losses, while those at the TSP haven't been made whole - at least not yet. Trabucco chalked up that difference to the fact that, unlike the TSP, such firms are "profit-making organizations."

Helo80
Posts: 726
Joined: Sat Apr 29, 2017 8:47 pm

Re: TSP fails secuity audit

Post by Helo80 » Tue Feb 27, 2018 8:58 pm

PoppyA wrote:
Tue Feb 27, 2018 3:44 pm
But it is my understanding the TSP is NOT backed by the government? Am I wrong?
Whatever this says.....

The Federal Retirement Thrift Investment Board (FRTIB or "Board") Administers the TSP
The assets of the TSP are held in trust in the Thrift Savings Fund. The financial statementsPDF file of the Thrift Savings Fund are required by law to be audited annually.

The FRTIB is an independent Government agency that is managed by five presidentially appointed board members and an Executive Director who are required by law to manage the TSP prudently and solely in the interest of the participants and their beneficiaries.

The FRTIB also consults with the Employee Thrift Advisory Council (ETAC), a statutorily created Advisory Committee comprising representatives of employee organizations, unions, and the uniformed services. The Council provides advice to the Board and the Executive Director on matters relating to the investment policies and administration of the TSP.

Dominic
Posts: 203
Joined: Sat Jul 02, 2016 11:36 am

Re: TSP fails secuity audit

Post by Dominic » Tue Feb 27, 2018 9:21 pm

Mako wrote:
Tue Feb 27, 2018 1:56 pm
Watty wrote:
Tue Feb 27, 2018 1:43 pm
Be sure to also understand the inheritance rules for a TSP since they are in some situations a lot worse than for an IRA.
*snip*
Thanks for this. Seems crazy. If they dismantle the G fund as they'd like to (proposed, folks who haven't heard can google it, please no further discussion) I think most savvy people will have no use for the arcane and restrictive rules of the TSP. I will probably roll out when retired unless things are a lot better by then (admittedly that's still 20ish years off for me).
Even without the G Fund, the TSP is probably better than most 401k/403b/457 plans. That said, the G Fund is the only fund in the TSP that makes it worth keeping instead of rolling it into an IRA. (But again, this is the case with most employer plans. The only ones worth keeping are the ones that offer really good institutional funds, such as DFA funds.)

jminv
Posts: 521
Joined: Tue Jan 02, 2018 10:58 pm

Re: TSP fails secuity audit

Post by jminv » Tue Feb 27, 2018 9:23 pm


Be sure to also understand the inheritance rules for a TSP since they are in some situations a lot worse than for an IRA. There is a wiki on this.

https://www.bogleheads.org/wiki/TSP_estate_planning

There was a post a while back that where they had run into this situation;
1) Dad had a large TSP, he died and left it to his wife.
2) Wife was fine with that and left the money in the TSP, but she died a few years later and left it to their kid.
3) With the TSP rules the kid could not leave it in the TSP or roll it out to an inherited IRA.

The kid was forced to take a large taxable distribution of all the TSP funds in a very high tax bracket since they were working and already in a moderately high tax bracket.

If either the Mom or Dad had rolled it out to an IRA the kid could have an inherited IRA and while they would need to take RMDs they could have spread that out over decades. With federal and state taxes this cost the person nearly half the TSP in taxes.
I was helping someone who was recently widowed and picked up on this after reading up on TSP's. It's a serious issue because often the survivor doesn't know their options or is comfortable with the TSP and doesn't realize the consequences of their inaction. In this case after I noticed this issue, she rolled it over from her TSP beneficiary account into an existing IRA.

Apart from that, the decision to hold the TSP for retirees or survivors is losing it's only edge with the private sector in terms of fees charged. On every other metric, the various discount options (vanguard, schwab, etc) provide a far superior product. I will say that compared to some of the other agencies and OPM that we are still dealing with, the TSP is responsive - for the government. It only took a month to establish the beneficiary account and a couple of weeks to do the rollover. Of course, the private 401k and 403bs were transferred over within a week.

Side Question of My Own: It will be interesting to see if during the budget process the G fund's returns are reduced to the 3 or 4 week treasury rate from the current average of maturities 4 years or more, not sure if this has been posted here or not? In any case, it's a proposal under consideration and would significantly reduce the return on the G fund. It would have the effect of encouraging participants to move money over into the F, C, S, and/or I funds.

jminv
Posts: 521
Joined: Tue Jan 02, 2018 10:58 pm

Re: TSP fails secuity audit

Post by jminv » Tue Feb 27, 2018 9:28 pm

Even without the G Fund, the TSP is probably better than most 401k/403b/457 plans. That said, the G Fund is the only fund in the TSP that makes it worth keeping instead of rolling it into an IRA. (But again, this is the case with most employer plans. The only ones worth keeping are the ones that offer really good institutional funds, such as DFA funds.)
I think the TSP for a worker is on par with with many 401k/403b/457 plans in terms of matching. In terms of range of investment options, it inferior. The G Fund is under review as you mentioned with a budget proposal to move it to the three or four week treasuries rate, ie, cutting the yield in half or so.
Last edited by jminv on Tue Feb 27, 2018 9:32 pm, edited 4 times in total.

mattshwink
Posts: 304
Joined: Mon Sep 21, 2015 10:01 am

Re: TSP fails secuity audit

Post by mattshwink » Tue Feb 27, 2018 9:28 pm

PoppyA wrote:
Tue Feb 27, 2018 11:34 am
http://www.govexec.com/oversight/2018/0 ... c_today_nl

And they don’t insure for theft! Uggg! Is this a Reason to consider moving money out?
That is up to you. But the TSP has low fees and good fund choices, so if you choose to roll out make sure you roll to low fee.

That being said, I am a government contractor and have worked at an agency that failed FISMA audits (it took about five years to get things in order). FISMA audits are tough, and the auditors are paid to find things. As stated in the article, FISMA is very stringent on processes and procedures. You can have a secure system, but if it is not well documented (or if people are doing things by themselves, and not as part of a documented procedure) you fail. With a FISMA compliant IT department, you have almost as many compliance people as people doing the work of securing the systems. It can be onerous and painful. Coupled with the fact that federal IT workers (usually oversight and management) are not paid as well as their commercial counterparts and the fact that the IT contracts can be awarded to low bidders.....well it is not always a great combination. But I would not worry too much. The big thing is if in the next couple of audits to see if their scores go up....

Engineer250
Posts: 1042
Joined: Wed Jun 22, 2016 1:41 pm

Re: TSP fails secuity audit

Post by Engineer250 » Wed Feb 28, 2018 12:09 am

jminv wrote:
Tue Feb 27, 2018 9:28 pm
I think the TSP for a worker is on par with with many 401k/403b/457 plans in terms of matching. In terms of range of investment options, it inferior. The G Fund is under review as you mentioned with a budget proposal to move it to the three or four week treasuries rate, ie, cutting the yield in half or so.
Disagree on all accounts. My former fed dept matched 5% and most private sector employees I know get 3% matching.

My current private sector 401k (through Vanguard) has far inferior fund choices. I wish I had a total international (even if it was just developed) and an affordable total bond index. Instead the only good funds are US domestic index funds (equivalent to C and S). The international, international emerging, and total bonds are actively managed funds with about 1% expense ratio.

I know I'm just one person but I don't think my experience is that unique.

Sure someone is always talking about cutting the G Fund. It's been this way for probably decades. Without getting into politics, it's not currently in any congressional budget proposal and not in the 2-year budget they just did.
Where the tides of fortune take us, no man can know.

Tanelorn
Posts: 1517
Joined: Thu May 01, 2014 9:35 pm

Re: TSP fails secuity audit

Post by Tanelorn » Wed Feb 28, 2018 3:15 am

Mako wrote:
Tue Feb 27, 2018 1:56 pm
If they dismantle the G fund as they'd like to (proposed, folks who haven't heard can google it, please no further discussion) I think most savvy people will have no use for the arcane and restrictive rules of the TSP. I will probably roll out when retired unless things are a lot better by then (admittedly that's still 20ish years off for me).
Yes, the G fund is the only major benefit of the TSP vs index funds elsewhere. That, plus the fact it's paying over 2x the fair market rate for low risk government debt, is probably why 40% of all TSP dollars are invested there. How long the good deal will last is unknown.

jalbert
Posts: 3580
Joined: Fri Apr 10, 2015 12:29 am

Re: TSP fails secuity audit

Post by jalbert » Wed Feb 28, 2018 4:09 am

A score of 1 is certainly low, but my belief is that very few organizations would score 3 or higher on the security capability maturity model if it were actually common for organizations to do this audit. I suspect 90% of organizations would rate around 1.
Index fund investor since 1987.

autolycus
Posts: 170
Joined: Thu Jul 31, 2014 3:01 pm

Re: TSP fails secuity audit

Post by autolycus » Wed Feb 28, 2018 9:36 am

Tanelorn wrote:
Wed Feb 28, 2018 3:15 am
Yes, the G fund is the only major benefit of the TSP vs index funds elsewhere. That, plus the fact it's paying over 2x the fair market rate for low risk government debt, is probably why 40% of all TSP dollars are invested there. How long the good deal will last is unknown.
I'm guessing a bigger factor is that the G Fund was the default investment until recently, and many employees never changed it. It's true of default funds, which were often stable value funds until recently, in private sector plans as well. I'll bet a survey of federal employees would show that most couldn't tell you what the differences in the different funds were. Sadly.

MI_bogle
Posts: 341
Joined: Mon Aug 01, 2016 3:56 pm

Re: TSP fails secuity audit

Post by MI_bogle » Wed Feb 28, 2018 10:24 am

autolycus wrote:
Wed Feb 28, 2018 9:36 am
Tanelorn wrote:
Wed Feb 28, 2018 3:15 am
Yes, the G fund is the only major benefit of the TSP vs index funds elsewhere. That, plus the fact it's paying over 2x the fair market rate for low risk government debt, is probably why 40% of all TSP dollars are invested there. How long the good deal will last is unknown.
I'm guessing a bigger factor is that the G Fund was the default investment until recently, and many employees never changed it. It's true of default funds, which were often stable value funds until recently, in private sector plans as well. I'll bet a survey of federal employees would show that most couldn't tell you what the differences in the different funds were. Sadly.
Yes, in my 457 60% of all funds were in the stable value fund a couple years ago. It was the default option when people signed up. Also to many people that don't know much about investing, "stable value" sounds pretty good.

Thankfully, they changed the default to target date funds

Krischi
Posts: 92
Joined: Tue Dec 02, 2014 2:23 pm

Re: TSP fails secuity audit

Post by Krischi » Fri Mar 02, 2018 1:04 pm

This doesn't inspire confidence at all. After logging in:

"This account access is not currently available due to security concerns. Please contact the ThriftLine at 1-877-968-3778 (TDD 1-877-847-4385) if you have any questions or concerns."

FedGuy
Posts: 1227
Joined: Sun Jul 25, 2010 3:36 pm

Re: TSP fails secuity audit

Post by FedGuy » Sun Mar 04, 2018 11:21 pm

Not very reassuring that the article states that "An effective information security program is scored at Level 4," and then the TSP official proudly states that they're hoping to reach Level 3 in a year.

Is implementation of two-factor authentication a requirement for either level?

Post Reply