Cybersecurity has become a prevalent concern in the retirement industry. In part because ERISA holds no fiduciary functions in managing cybersecurity risk, the retirement industry is a major target for cyber-attacks.
Surprisingly, many plan breaches are not all due to third-party attackers; rather, it can stem from misconduct by employees (e.g. falling for a phishing scheme, having an easy password, etc.).
Thus, while it’s important for plan sponsors and providers to understand the risks of cyber-attacks, plan participants should also be educated on these risks, along with cybersecurity best practices.
However, plan sponsors face challenges providing preventative measures for cyber-attacks when giving online access to their participants.
Since all of their information is online, participants’ names, account information, social security numbers and other personally identifiable information are susceptible to breach.
That being said, it is in the best interest of plan sponsors to provide guidelines to their participants so these vulnerabilities can be prevented.
Breaches that stem from misconduct or misuse by employees are often done unintentionally.
For example, a participant could unknowingly give away valuable information by simply clicking on links in emails from what may appear to be an outside firm or retailer. In addition, participants are susceptible to getting a cyber attack through fake attachments.
Typically, retailers do not tend to send emails with attachments, so it is advised to check with the retailer directly. Giving out personal information over the phone or in an email can further increase the risk of cyber-attacks occurring.
This is typically geared toward older generation individuals with less familiarity and more susceptibility of being deceived. Individuals are contacted by a seemingly trusted agent who turns out to be a malicious actor.
So, what can be done? Here are a couple of preventative measures to implement to prevent your plan participants from a cyber-attack.
Monitoring and securing accounts regularly
Encourage your participants to log onto their retirement account on a regular basis to check if there are any suspicious activities or changes. This is crucial as to mitigate any damage should a cyber-attack occur. In addition, steps should be taken to create a secure account.
Using strong passwords (at least 10 characters that contain upper and lower letters, numbers and symbols) and changing the password frequently can help prevent breaches.
Not only does it increase the length of time for a hacker to correctly guess a password, but it may also deter them from trying in the first place. In addition, providing alternative security questions (e.g. mother’s maiden name) will make hacking the account more difficult for the fraudster.
Systematically install and update anti-virus and anti-spyware software
One of the major cybersecurity best practices is installing security systems and software on participants’ often-used devices, which could include their desktops, laptops, tablets or cellphones.
While misplacing a device is typically unintentional, it does occasionally happen. When these devices are misplaced, client data through an unsecured device or internet connection are much more susceptible. Thus, installing anti-virus and anti-spyware software on any device can prevent these cyber-attacks. It is equally important to conduct routine and automatic maintenance on this software.
Secure Wi-Fi networks
Plan participants should be aware of the Wi-Fi internet connection they’re using. They should be advised not to check retirement or banking accounts outside of trusted locations, such as the office or home. While public usage should never be encouraged, it often happens.
Participants that do log into accounts on unsecured networks should be aware of their surroundings.
Staying away from areas where people can see the computer or phone should be considered. Having a privacy filter screen protector or even dimming the device can prevent people from stealing personal information.
Prohibit access
It’s essential to never share access to personal accounts with friends and even family members. If it is mandatory for a participant to share access, it should be advised to never share sensitive information or login credentials via text or email. In addition, never provide third parties sensitive information without verifying their credentials.
On the organization side, data access should be controlled and limited only to those who must perform specific functions to further prevent accidental link clicks, opening false attachments and shared data.
By following these cybersecurity best practices, plan participants will mitigate the risks of cyber-attacks. Furthermore, participants should be sure to maintain communication with their employer with regards to their account.
If plan participants notice any unusual or suspicious activities occurring that point to a cyber threat, the issue should immediately be brought to the employer’s attention.
Mark Olsen is managing director with Chicago-based PlanPILOT. PlanPILOT provides comprehensive retirement plan advisory services to a wide range of plan sponsors, minimizing fiduciary risk and promoting positive participant outcomes. As an independent Registered Investment Adviser, PlanPILOT is not tied to any investment fund or record-keeper. PlanPILOT offers clients unbiased advice and assistance to control their retirement plan risks and deliver benefits effectively. Contact PlanPILOT at (312) 973-4911 or visit www.planpilot.com.
Mark Olsen is managing director with Chicago-based PlanPILOT. PlanPILOT provides comprehensive retirement plan advisory services to a wide range of plan sponsors, minimizing fiduciary risk and promoting positive participant outcomes. As an independent Registered Investment Adviser, PlanPILOT is not tied to any investment fund or record-keeper. PlanPILOT offers clients unbiased advice and assistance to control their retirement plan risks and deliver benefits effectively. Contact PlanPILOT at (312) 973-4911 or visit www.planpilot.com.
