Cybersecurity in retirement plans: protecting participants
We have all seen the endless stream of headlines about identify theft, data breaches and cyberattacks. These cybercrimes now represent the fastest-growing type of crime in the United States.12 And not only are incidents of cybercriminal activity on the rise, the cyberthreat landscape is continuously evolving to include additional types of attack methods and vulnerable devices. In response, individuals and organizations are taking steps to protect their electronic assets from cyberthreats by ramping up cybersecurity measures, and retirement plans are no exception.
Retirement plans in the crosshairs
With so many security breaches in the news, many plan sponsors may be wondering whether their retirement plans are vulnerable to an attack. Indeed, with close to $6 trillion held in 401(k) plans, these plans have become an enticing target for cyber criminals.13 Not only do these plans hold large amounts of money, but they also collect personal information from plan participants, such as names, addresses, birth dates and Social Security numbers. Such data is highly valued by cybercriminals because the majority of it is permanently attached to the individual and can’t be easily changed.
Protecting the plan
While the information included in retirement plans is protected under numerous laws and regulations, there is currently no comprehensive federal law that governs cybersecurity in 401(k) plans.14 But the cybersecurity threat is so pervasive that lawmakers have asked the Government Accountability Office (GAO) to examine the cybersecurity of the U.S. retirement system. In a letter to the GAO, Senator Patty Murray and Congressman Bobby Scott identified several key questions, including current cybersecurity protections that are in place for retirement plans and what can be done about it in the future. Although the GAO has yet to respond, other industry groups have taken steps to address the issue. The ERISA Advisory Council has published considerations for cybersecurity in benefits plans and has also asked the Department of Labor (DOL) to issue guidance. The Society of Professional Asset-Managers and Record Keepers (SPARK) Institute has also created industry best practices for keeping data secure.
Types of cyberthreats:
Plan sponsors should familiarize themselves with some of the more common types of cyberattacks that have been used consistently in recent years.
Phishing is one of the oldest and most widespread types of cyberattacks. According to Verizon’s Data Breach Investigations Report 2019, phishing is the No. 1 cause of data breaches. Phishing uses email to trick victims into compromising their own devices or personal information by clicking on a malicious link, downloading a virus, or replying with sensitive data. The attackers can set up a fake email or website to look like a trusted source. The goal is to get victims to give information that can be used to gain access to their accounts. In the retirement plan world, a hacker could use this information to make a fraudulent distribution or loan request.
Shorthand for malicious software, malware is a blanket term for viruses and other harmful computer programs hackers use to infect or destroy a network or steal sensitive data. In the first three quarters of 2019, there were approximately 7.2 billion malware attacks.15 And, as mobile devices are increasingly a part of daily life, mobile platforms present a new target for malware-based threats.
Ransomware is a type of malware. In this type of attack, hackers get users to unwittingly download malicious software that blocks access to the victim’s account or data until a sum of money (a ransom) is paid. Email is the No. 1 delivery vehicle for ransomware; emails with malicious links and malicious attachments are responsible for 59% of ransomware infections.16
Protecting participants: tips for plan sponsors
Under ERISA, plan fiduciaries, including plan sponsors, have the broad duty “to act solely in the interest of plan participants and beneficiaries.” While the DOL has yet to issue guidance for fiduciaries, plan sponsors can, and should, take steps to ramp up cybersecurity. And in today’s unpredictable digital environment, it is not enough to have a “react and defend” strategy after the fact; proactive approaches to cybersecurity and continuous monitoring are also critical. As the saying goes, the best defense is a good offense. One of the challenges is knowing where to start. Here are some tips for protecting participants and plan assets:
Build cybersafety into company culture
If you don’t have one yet, establish a program that sends phishing simulations to your population with just-in-time training if they click on a suspicious link. Institutions with a phishing awareness program are able to lower their susceptibility from the industry average of 30%.17
Leverage two-factor authentication when administering plans and on all accounts
Multifactor authentication, like entering a one-time passcode, can add an extra layer of security during the login process. Even if a cybercriminal obtained a username and password, they shouldn’t be able to complete two-factor authentication without access to the one-time passcode from a secondary authentication device, like a mobile phone.
Practice least privilege when assigning administrative access rights
Only give the amount of access an employee administrator needs to do the functions required of their role. Even if this person’s credentials were compromised or they became a malicious insider, they would only have access to nonfinancial information. The fewer individuals with access to sensitive data, the more secure the plan will be.
Enlist the help of the recordkeeper
When selecting a recordkeeper, plan sponsors should get a clear picture of their cybersecurity practices and also understand how the recordkeeper will work with them should a breach occur. Many recordkeepers create educational materials and resources that are both available to participants on their website, or made available directly to the plan sponsor to include in participant information packets.
Help participants protect themselves
Educate participants on safeguarding their accounts and personal information. It may sound basic, but many participants often view their 401(k) plan as something to “set and forget.” Encourage them to regularly check their accounts for unauthorized activity, protect their passwords and login information and make sure their contact information is up to date.
Plan sponsor responsibility
In the absence of specific guidance from the DOL, plan sponsors must still act in a fiduciary capacity under ERISA’s best interest clauses, as well as adhere to data privacy requirements for electronic notices. The chart below breaks down the regulatory guidelines for plan sponsors’ fiduciary duties related to cybersecurity and electronic distribution of plan information.
Cyberthreats are constantly evolving and becoming more sophisticated. As a result, plan sponsors must be one step ahead of hackers. By familiarizing themselves with the cybersecurity risks and developing a plan to circumvent them, plan sponsors can help protect the hard-earned savings that participants and their beneficiaries rely on in retirement.