Cybersecurity has become a prevalent concern in the retirement industry. In part because the Employee Retirement Income Security Act (ERISA) holds no fiduciary functions in managing cybersecurity risk, the retirement industry is in target for cyber-attacks. Surprisingly, many plan breaches are not all due to third-party attackers; rather, it can stem from the misconduct by employees (e.g. falling for a phishing scheme, having an easy password, etc.). Thus, while it is important for plan sponsors and providers to understand the risks of cyber-attacks, plan participants should also be educated on these risks along with cybersecurity best practices.
However, plan sponsors face challenges providing preventative measures for cyber-attacks when giving online access to their participants. Since all of their information is online, participants’ names, account information, social security numbers and other personally identifiable information are susceptible for breach. Therefore, it is in the best interest of plan sponsors to provide guidelines to their participants so these vulnerabilities can be prevented.
Cybersecurity Best Practices for Plan Participants
As previously mentioned, many plan breaches stem from misconduct or misuse by employees, often done unintentionally. For example, a participant could unknowingly give away valuable information by simply clicking on links in emails from what may appear to be an outside firm or retailer. In addition, participants are susceptible of getting a cyberattack through fake attachments.
Giving out personal information over the phone or in an email can further increase the risk of cyber-attacks occurring. This is typically geared toward older generation individuals with less familiarity and more susceptibility of being deceived. Individuals are contacted by a seemingly trusted agent who turns out to be a malicious actor. With this being said, here are a couple of preventative measures to implement to prevent your plan participants from a cyber-attack.
Monitoring and Securing Accounts Regularly
Encourage your participants to log onto their retirement account on a regular basis to check if there are any suspicious activities or changes. This is crucial as to mitigate any damage should a cyber-attack occur. In addition, steps should be taken to create a secure account. Using strong passwords (at least 10 characters that contain upper and lower letters, numbers and symbols) and changing the password frequently can help prevent breaches. Not only does it increase the length of time for a hacker to correctly guess a password, it may deter them from trying in the first place. In addition, providing alternative security questions (e.g. mother’s maiden name) will make hacking the account more difficult for the fraudster.
Systematically Install and Update Anti-virus and Anti-spyware Software
One of the major cybersecurity best practices is installing security systems and software on participants’ often-used devices, which could include their desktops, laptops, tablets or cellphones. While misplacing a device is typically unintentional, it does occasionally happen. When these devices are misplaced, client data through an unsecured device or internet connection are much more susceptible. Thus, installing anti-virus and anti-spyware software on any device can prevent these cyber-attacks. It is equally important to conduct routine and automatic maintenance on these softwares.
Secure Wi-Fi Networks
Plan participants should be aware of the Wi-Fi internet connection they are using. It should be advised not to check retirement or banking accounts outside of trusted locations, such as the office or home. While public usage should never be encouraged, it often happens. Participants that do log into accounts on unsecured networks should be advised to be aware of their surroundings. Staying away from areas where people can see the computer or phone should be considered. Having a privacy filter screen protector or even dimming the device can prevent people from stealing personal information.
Prohibit Access
It is essential to never share access to personal accounts with friends and even family members. If it is mandatory for a participant to share access, it should be advised to never share sensitive information or login credentials via text or email. In addition, never provide third parties sensitive information without verifying their credentials. On the organization side, data access should be controlled and limited only to those who must perform specific functions to further prevent accidental link clicks, opening false attachments and shared data.
By following these cybersecurity best practices, plan participants will mitigate risks of cyber-attacks. Furthermore, participants should be sure to maintain communication with their employer with regards to their account. If plan participants notice any unusual or suspicious activities occurring that point to a cyber threat, the issue should immediately be brought to the employer’s attention.
Seek Professional Assistance
Working to protect your retirement plan and plan participants on your own can be a challenge, and it is often not the first task considered among other fiduciary responsibilities. PlanPILOT is an innovative consulting firm that understands these types of complex issues. We are vigilant about keeping plan sponsors and plan participants safe from cyber-attacks. Call us today at (312) 973-4911 or email info@planpilot.com to see how we can help you and your employees protect their retirement plans from cybersecurity attacks.