Defend Your Retirement Plan From Cyberattacks
Unfortunately, falling victim to a cybersecurity attack is becoming increasingly common. It seems that at least once a week, another major company has fallen prey to the persistence of cyberattackers. Retirement plans are notorious targets for these attacks because they involve a high volume of sensitive information that is invaluable to criminals with malicious intent. Plan participant and financial information is generally shared with many different parties, making it more vulnerable to such threats. Retirement plan cybersecurity is crucial. We will discuss current risks as well as some useful tips for protecting your plan participants’ information.
Types of Cyberattacks on Retirement/Benefits Plans
Cyberattacks are an ever-evolving problem. Professional hackers continue to develop new and complex ways to penetrate the weak spots in retirement plans in order to extract sensitive personal information. However, there are a few common types of cyberattacks that have been used consistently over the past decade: ransomware, phishing, wire transfer email fraud and malware.
- One of the most popular types of attacks in the past year has been ransomware, which hackers get unwitting users to download on their computer. Once it is installed, the hackers are able to encrypt the entire hard drive. They will demand a person or company pay them a specified amount of money in order to regain control over their systems and data. It can be expensive for the company to fix, and often results in the company paying the cyberattacker the demanded funds.
- When an email is sent to a company or person with an enticing offer or message that appears to be from a company or person they know, that is referred to as “phishing.” The goal is to get the unsuspecting victim to give information that can be used to gain access to their accounts. You will want to make sure your plan participants are educated about these pernicious attacks.
- Wire transfer email fraud is where cyberattackers pose as a high-level executive, then ask an employee to transfer some of their funds to a specific account. However, those funds are actually sent directly to the cyberattacker. This kind of attack can be especially effective against retirement plan participants, because often the person on the receiving end trusts the “high-level executive” and will do what they ask.
- Lastly, malware is simply harmful software that is written with the intent to damage or take over a targeted network, giving cybercriminals access to personal and detailed financial records.
What Data is at Risk?
Retirement plans store copious information on individual plan participants. Information that is most prone to cybersecurity attacks, and is of the most value to cyberattackers to obtain, includes the following:
- Social security number
- Dates of birth
- Addresses
- Email addresses
- Bank account information
- Compensation information
- Account balances
- Plan assets
- Payroll information
- Beneficiary information
What Are the Regulations?
The information included in retirement plans is protected under myriad laws and regulations. There is currently no comprehensive federal regulation that protects retirement plans and service providers from cyberthreats, but steps in that direction are underway. In the meantime, the existing complex regulations make it essential for you to protect your plan participants to the best of your ability.
The ERISA Advisory Council and Society of Professional Asset-Managers and Record keepers (SPARK) Institute have begun to create recommendations that establish better cybersecurity for retirement and other workplace benefits. For instance, the ERISA Advisory Council created a report that not only addresses the challenges of plan cybersecurity, but also serves as a resource for plan sponsors, fiduciaries and service providers to establish strategies to guard against cyber risks. In addition, SPARK developed a comprehensive data-management standard to help protect retirement plans from relentless cyberattacks. Their main goal is to have a set of security standards for record keepers and financial advisors to follow that will help reduce cyberthreats through baseline security systems.
We also see retirement plans subject to official regulations in more areas as well: the Gramm-Leach-Bliley Act, the Securities and Exchange Commission and the Federal Trade Commission. For example, the GLB Act requires some federal agencies to design regulations that demand any financial institution be required to tell their plan participants they are going to share their personal information with a third party and prohibit them from doing so unless they receive permission from the participant. It also states they are obligated to protect the participant’s personal and secure information as well. This is an important regulation because a high percentage of data breaches occur when information is sent to and shared with third parties, especially when it comes to the amount of sensitive information found in retirement plans.
Steps to Safeguard
Fortunately, there are a few steps that can be taken to help further safeguard against these security and cyberattack issues.
- First, plan sponsors should design their own process for addressing and fixing potential cybersecurity issues. This will give the plan sponsor a clear plan of action on how to deal with such risks. Since many of the issues we see come into play with third-party vendors, identifying any possible gaps in security in the information sharing process can greatly reduce the damage of attacks.
- Plan participants should also be advised to choose strong passwords that are hard to guess, and to change their passwords often. This will make a hacker’s work much more difficult, and they will likely look elsewhere for an easier target. They can also make sure their contact information is always up to date, so if a breach does happen, they are easily informed of the issue and can take proper action immediately. Two-factor authentication to access accounts can also be used for additional security.
- Using cyber liability insurance is also an option. Having a good quality cybersecurity insurer can help mitigate, although not prevent, the damage of an attack.
- Finally, hiring an outside firm that also specializes in retirement plan cybersecurity, such as PlanPILOT, is the best way to ensure your participants’ data is kept safe and you are in compliance with federal regulations.
What to Do When There is a Breach
The major steps after a breach has been identified are to:
- mitigate damage,
- identify data that was accessed and seek to retrieve it or prevent its spread, and
- patch the point of entry as soon as possible.
Bringing in an outside team to make sure the issues are fixed is always a good plan of action. A forensic investigation should be completed as well so you better understand where the issues actually stemmed from and the extent of the breach.
How PlanPILOT Can Help
The most important step you can take is to make sure a security breach never happens in the first place. It is often challenging for sponsors to diligently protect their retirement plan due to lack of time or knowledge regarding these complex issues. PlanPILOT is an innovative consulting firm that is determined and vigilant about keeping plan sponsors and plan participants safe from cyberattacks. Call us today at (312) 973-4911 or email info@planpilot.com to see how we can help you and your employees protect their retirement plans from cybersecurity attacks.