Only the Paranoid Survive: Practical Cybersecurity in Retirement Plans

Management
Written By Courtenay Shipley

Marina Edwards, Senior DC Specialist at Invesco, and I spoke about cybersecurity in retirement plans. Normally when you hear  the word “cybersecurity,” it invokes anxiety and a 30-step protection process. Marina specializes in fiduciary risk mitigation strategies for plan sponsors, and we had a chance to discuss practical tips that plan sponsors can take that will make a big impact. Here are some highlights from our discussion.

Cybersecurity: Who’s responsible?

Cybersecurity policies and practices were typically thought to be the sole responsibility of the service provider that a plan sponsor hires, but in today’s world, it’s something that plan sponsors do need to focus on, too. There’s a bit of a gap, however, as to who exactly on the plan sponsor team should be responsible: Is it HR? Finance? Do we bring an IT person onto the investment committee as a potential fiduciary? (The answer to that last question is no, BTW.) Fortunately the Department of Labor has weighed in and given us some guidelines (more on that later). But, as to who is responsible, it’s the plan sponsor, service providers, and participants working together.

How does fraud happen? A typical hacking scenario

So how can an employee’s account be hacked? It often starts with the recordkeeper’s call center; a hacker typically will call in and say that they lost their password and need to get a loan or make a withdrawal. The call center rep will then ask for verification of their identity (usually the last four digits of their social security number, date of birth, and address). The hacker has all of this information via the dark web, so they're able to answer all of the security questions and be successfully authenticated.

The hacker will then ask the call center rep how they can take money out of their account (e.g. loan, in-service withdrawal, distribution) and make a withdrawal request. The hacker will then often request that the money be wired to their bank account and provide account information (which is usually an out-of-state bank). The money transfers. A confirmation statement is then mailed to the unsuspecting participant’s home, and arrives several days later. By the time the real participant notifies the call center about the fraudulent event, the hacker has closed the bank account so the transaction cannot be reversed, and the money is gone.

According to Marina, this is just the tip of the iceberg; as information technology becomes more complex, the potential for cyber fraud will most likely increase.

What does DOL say plan sponsors should do to manage cybersecurity risk?

The DOL has provided guidelines to address cybersecurity risk and vulnerabilities; here’s an abbreviated list of steps to take and documents that the DOL provides:

  • Establish a formal, well-documented cybersecurity program - DOL provides a list of 12 best practices for ERISA-covered plans

  • Review service provider contracts and practices - DOL provides a service provider review checklist for plan sponsors

  • Communicate to participants - DOL provides a retirement account tip sheet for participants

  • Review insurance coverages

The DOL has also begun random cybersecurity audits of plan sponsors and recordkeepers; here are just a few of the questions they ask:

  • What are the service provider’s processes and systems for dealing with cybersecurity threats and protection of personally identifiable information?

  • Is advanced authentication used? Can the service provider explain the process? Can the company explain the process?

  • Are technology systems regularly updated?

  • Does the service provider carry cybersecurity insurance?

  • Does the company monitor the cybersecurity controls of service providers? How often? Is the monitoring documented?

Plan sponsors must be prepared to answer these and other cybersecurity questions from the DOL. This is new territory for most; Marina encourages plan sponsors to take these questions, document the answers, and store that information in your fiduciary files. (Retirement Planology clients, we’ve already started working on this for you!)

What can participants do to protect their accounts?

Plan participants play an important role in helping to protect their accounts. Here’s what participants can do and what plan sponsors need to encourage their employees to do:

  • Set up your username and password to your online account (with auto-enrollment, many participants don’t do this)

  • Review account transactions 

  • Provide all contact information, ensure it’s current

  • Always use multi-factor authentication, especially for your email account – inconvenient, but necessary!

  • Use a password manager

  • Freeze your credit at all 3 bureaus

  • Watch for mail delivery changes

  • Change passwords frequently

Open enrollment is a great time to remind participants to practice good digital hygiene and conduct education on how to access and claim their account online. 

How can Cyber Policies help?

Cyber policies come in different forms. Plan committees may elect to put a cyber policy in place for how they are overseeing service providers, but this is optional. Plan sponsors would be well-served to follow the DOL’s guidance mentioned above and check with their current service providers on their policies.

Most of the large major recordkeepers have “make whole” policies; i.e. if a breach occurs, they will make the account whole. This avoids litigation, does right by the participant, and makes the recordkeeper look good - win-win-win! However, it’s important to know what your providers will and will not do and under what circumstances. For example, if a participant has never logged in online to claim their account, their account may not be covered if there is a fraud breach.

Third-party administrators (TPA) need to be examined for their cyber practices as well, since so much of what they deal with includes personally identifiable information. As a reminder, it is never a good idea to email social security numbers or any other personal information. Reports and information should always be uploaded into a secure file transfer. If the TPA is responsible for loans and distributions, plan sponsors need to know what steps they are taking to confirm the identity of participants or if they rely on the recordkeeper for that.

In cases like the one we wrote about above where there has been a breach of a participant’s account, it’s important to know who’s responsible for making the account whole; otherwise there’s the potential for litigation. 

Speaking of litigation, there’s been three major cases recently regarding 401(k) plan cyber fraud if you want to dig further into the topic:

Case 1: Estee Lauder - $99k (three unauthorized smaller distributions)

Case 2: Abbott Labs - $245k (fraudulent online access)

Case 3: Boeing - $360K (an employee hacked the account of another employee)

Summary

Cybersecurity is an important issue that plan sponsors need to get a handle on rather than shrug off. Participants, plan sponsors, and service providers all play a part in helping protect retirement accounts.  Hopefully the above information will aid you in formulating and implementing cybersecurity practices that will help protect your participants’ valuable nest eggs. 

If you need help with plan cybersecurity or other plan advice, reach out to us - we’re happy to help!

Courtenay Shipley
Previous

A Retirement Planology Client Snapshot
Next

Year-End To-Do List for Plan Sponsors