Cybersecurity is top-of-mind—for advisors, sponsors, participants, and (yes) regulators, and multiple sessions were dedicated to the topic at the 2022 NAPA 401(k) Summit in Tampa.
Account takeovers are especially troubling, and Voya Financial’s Charles Griffin presented What Intermediaries and Their Plan Sponsors Need to Know About Fraud and Account Take-overs on Monday morning on how intermediaries and plan sponsors can communicate with participants to mitigate fraud.
He began a pre-session interview by noting an interesting, if counterintuitive, point. According to industry data, from a recordkeeper’s perspective, industry-wide the number of account takeovers declined recently.
“NBC News has been covering one of the reasons why; of the $900 billion that was part of the Covid Relief and Paycheck Protection Programs, half of it was stolen by the fraudsters,” Griffin, Information Technology Security Consultant with Technology Risk Security Management, said.
When the money was released to the states, they supposedly didn’t have many fraud controls because this was a new program.
“The fraudsters went where the money was—why go after somebody’s IRA account when you can go after a big pile of money?”
Yet there’s a renewed need by participants to up their cybersecurity profiles.
“Now, with Covid and PPP investigations happening, fraudsters will be back again looking at recordkeepers,” Griffin explained.
He noted the Department of Labor (DOL) guidance issued last year, which had three aspects. One was directed towards recordkeepers and how their cybersecurity policies should look. The next was for plan sponsors and the questions to ask recordkeepers when entering a relationship, meaning vetting their programs to see if they adhere to best practices. The last was directed to participants and informed them of what they could do to protect themselves better.
“One aspect that I hit on with everybody is that when you look at network activity directed at anything Internet-facing at Voya, we get anywhere from 20 to 25 million pieces of what I call exogenous data coming into our systems,” he said. “It’s reconnaissance in nature. They’re trying to figure out if anything is exposed or a service is not protected.”
Chain of trust
Participants are no different, continued, and the same activity is occurring on home networks and routers. Therefore, participants need to understand that they’re part of the “chain of trust” to see if there’s a newer version that is less susceptible to being compromised.
“I connected through Atlanta on my way to the Summit, and while there, I’ll use personal chargers to charge multiple mobile devices. What a lot of people will do is they’ll take their USB cable and plug it into airports’ USB ports. Those are sources of infection as well. Once they’re compromised, they can do an exchange with the endpoint device and upload malware to your laptop.”
While he isn’t looking to make anyone paranoid, cybersecurity awareness is always critical. Advisors can often differentiate themselves by bringing attention to it and dedicating time in enrollment and education meetings.
“This kind of attention-getting information is something to which plan sponsors and participants respond,” Griffin concluded.