Cybersecurity Tips for Retirement Plans

The Aspen Institute released an article in April that says, “Amid the COVID-19 crisis, which continues to impact public health, the global economy, and life as we know it, known instances of cybercrime have more than tripled.”

As much as we don’t want to think about it, retirement plans are a target of cybercrime. Examples are requesting fraudulent loans and distributions, or stealing personal information.

Here are tips for helping prevent malicious account takeovers:

1. Encourage participants to register their qualified plan accounts (so someone else does not) with complicated passwords, review privacy settings, avoid accessing their account from public wi-fi, and be alert for scams.

2. Embrace and activate multi-factor authentication.

3. Communicate cyber “best practices” to participants. (i.e., Do NOT send your SSN by email!)

4. Focus on your recordkeeper’s SOC 2 reports. These focus on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality and privacy of a system, as opposed to SOC 1 (SSAE 16), which focuses on financial reporting controls.

5. Regularly monitor your plan and accounts for suspicious activity. It never hurts to double-check a loan or distribution request.

Another way that employers can assist their employees with protecting their accounts is by selecting providers that invest in and take cybersecurity seriously. We’ve taken to including questions on our vendor’s policies on our RFPs. If you haven’t asked your retirement plan providers — including recordkeeper, TPAs, advisor, auditors, and education firm — about cybersecurity lately, it’s important to have it on your agenda.

What we’re seeing from providers lately:

1. Requiring 2-factor authentication if accessing an account online.

2. Ability to block electronic money movement out of accounts, protecting balances from unauthorized transfers.

3. Ability to get instant security alerts on a mobile number when certain transactions or profile updates are made to the account.

4. Voice recognition technology to instantly verify the caller at the call center.

5. Methods for protecting the data system from hackers and identifying intrusion quickly, thus minimizing damage.

6. Hiring outside firms to attempt to enter the workplace or data centers physically and/or through cyber means to test their internal controls.

7. Multiple checkpoints for distributions to be issued and monitoring for suspicious behavior.

8. Training employees to prevent phishing attacks.

9. Overlapping technologies to create multiple layers of defense against attacks, such as compartmentalized data.

10. Using encrypted email to communicate with clients, and only permitting sensitive information to be transmitted via upload to a secure, shared file.

Cybersecurity should be an ongoing part of your due diligence process and monitoring for your retirement plans, and also a vital part of your communication campaigns with employees. Need assistance evaluating your providers? Reach out for help.