Using data from 2016 Form 5500 annual reports, the American Benefits Council found that there were over half a million 401k plans in the United States, covering more than 100 million participants. Total assets were approaching $6 trillion. And they’re an irresistible target for hackers, not just for the assets held in the accounts, but the sensitive information that can be sold or used for fraud.
Advisors aren’t subject to regulations regarding 401k cybersecurity specifically, but everyone in the 401k-food chain could find themselves on the wrong end of a lawsuit for failing to meet their fiduciary duties if a plan is breached.
When a participant in a plan offered by Estée Lauder had $99,000 stolen through unauthorized electronic distributions, she sued the makeup giant, the plan recordkeeper and the plan custodian for breaching “fiduciary responsibilities of loyalty and prudence owed under ERISA by allowing the unauthorized distributions and for failing to detect and halt the fraudulent distribution requests,” according to a brief from Groom Law Group.
There are common-sense measures to protect advisory firms and retirement plan participants from cyberattacks—practice good password hygiene, use multifactor authentication, encrypt your data—but advisors also need to be proactive about reducing access points for hackers.
All Together Now
One of the first lines of defense against cyberattacks is to focus on bringing assets in old or inactive accounts into the plan.
“The more accounts that are out there in the system, the more accounts an individual has, the more opportunity there is for online access to those accounts,” said Neal Ringquist, executive vice president and chief sales officer at Retirement Clearinghouse.
Encouraging new hires to roll assets from an old 401k into their current plan doesn’t just increase assets under management; it helps protect participants from losing data or assets to cybercrime.
Insisting that vendors have adequate cyber protection is critical, according to Mike Goode, senior vice president of information security and infrastructure at Retirement Clearinghouse.
“A lot of companies don’t even know who their third-party vendors are and what they do,” Goode said.
Goode’s not just talking about advisors’ financial and technical vendors. Who cleans the office? Who manages the building?
“Most breaches come from external vendors. The famous one was Target; when they got breached for all their credit cards at their point of sale system, it was the HVAC company that had passwords to the network,” Goode pointed out.
Advisors need to determine what data their vendors store or have access to and the cybersecurity practices they have in place.
Goode said he requires vendors to share a SOC 2, an audit framework outlined by AICPA that examines a vendor’s policies and procedures related to its internal security, access, integrity, confidentiality, and privacy.
“I won’t work with a vendor that does not have a SOC 2 because that means they haven’t even invested enough to ensure that their own organization is secure,” he said.
Smaller plan sponsors may be especially vulnerable to an attack that comes through a vender, as they’re likely to “have significant dependence on third parties,” according to the ERISA Advisory Council.
Determining which vendors have access to what data can help identify where advisors are taking unnecessary risks.
“You have to be very careful who you allow on your network, then you have to restrict their access,” Goode said.
Protect Participants, Employees from Themselves
Strong passwords and multifactor authentication are simple steps to make a firm more secure, but those basic measures sometimes aren’t appreciated by employees or participants.
“We don’t use passwords anymore, we use passphrases,” Goode said. Employees are required to have a 15-character passphrase, he said, and “privileged users” who have access to more sensitive information must use passwords that are between 27 and 40 characters.
“Eight-character passwords get hacked in two hours. It takes three and a half months to hack a 15-character password,” he said.
Goode said it took some time for people to get used to using longer passwords, but it was important to him to have that extra security.
“I don’t want to impede the productivity of this organization, but at the same time, I want to have 70-something of the most paranoid people in the world,” he said.
Encouraging employees or plan participants to apply those standards to their personal accounts can help make them less of a burden.
Goode said that he’s had employees tell him they’ve adopted similar security standards to the ones they use at work because they recognize that they’re much safer.
Encryption
Encrypting data should be standard practice for any advisor. Data at rest (whether it’s being stored in the cloud, or on local networks or hardware) and data in transit should be encrypted to prevent it from being used if it’s stolen.
“You want to make sure both of those methods are encrypted when using any kind of third-party vendor,” Goode said.
As the Department of Labor ponders a rule that would make electronic delivery of disclosure documents the default, it’s clear that encryption will only become more important. Ironically, a survey from the Secure Retirement Institute found consumers believe paper statements are more secure than electronic ones; this was especially true among the famously tech-oriented Millennial and Gen Z consumers surveyed.
Advisors’ current operating systems likely already have built-in or additional encryption solutions, like Microsoft’s BitLocker or Mac’s FileVault. Third-party products like AxCrypt or CertainSafe are also available.
Cyber Insurance
Cybersecurity insurance is still a developing product, but advisors and plan sponsors should look into securing this type of coverage if they haven’t already. A 2016 report from the ERISA Advisory Council found more than 60 carriers offer standalone cybersecurity insurance policies, with over $2 billion in written policies. The council expects that market to grow to $75 billion by this year.
General liability or errors and omissions policies are unlikely to provide much coverage for a cyber event. Cybersecurity insurance may cover things like legal expenses, data restoration, disclosure statements and other expenses that arise from a data breach.
“Plan sponsors and fiduciaries should understand what cyber insurance does and does not provide and how it coordinates with other types of insurance coverage, so that they can appropriately consider whether to incorporate cyber insurance into their cyber risk management strategy,” the ERISA Advisor Council wrote.
Do Your Due Diligence
Ringquist encouraged advisors to apply the same guidance they give their clients to their own practices.
“Start with their own business, start with their own personal accounts,” he said. “How are they protected?”
He believes that in conducting their due diligence, plan sponsors are aware of the risk cybersecurity poses and are prepared to take advice on how to protect their clients.
“When we’re interacting with plan sponsors in a sales situation or service providers, the level of due diligence, particularly around information security, has significantly increased I’d say in the last five years,” Ringquist said. “I think the industry, particularly the large plan sponsors, the recordkeepers and so forth, are most definitely paying attention to this issue.”
Goode reiterated that the nature of the financial services industry means companies will have to share sensitive information in the course of their business.
“People need to understand, you have data that can be used to steal people’s identity, and some of that data you may need to send to third-party vendors for services,” he said. “You need to understand how that data is going to be protected, encrypted and used by those vendors.”