“It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.” – Stephane Nappo
In early September of 2024 in its continuing effort to protect U.S. workers’ retirement and health benefits, the U.S. Department of Labor updated its current cybersecurity guidance for plan sponsors, fiduciaries, recordkeepers, and plan participants. As 401(k) plans increasingly rely on digital platforms to manage and secure retirement savings, cyber threats have become a critical concern for plan sponsors.
With the rising sophistication of cyberattacks, plan sponsors must ensure that the systems are robust and resilient. Addressing cybersecurity risks is not only a regulatory requirement but also a key element of maintaining trust with plan participants.
In the following Q&A, retirement expert Alyssa Zagrobski, Director of Retirement Plan Services at Shelton Capital Management, and technology expert Bryan Becker, CEO and Founder of IT consulting services provider Class IV, dive into some of the most significant questions around cyber risk and cybersecurity for retirement plan sponsors today.
Alyssa Zagrobski: What specific cybersecurity risks do ERISA plans face today, and how can employers mitigate these risks?
Bryan Becker: Per the last Verizon 2023 Data Breach Investigations Report, ransomware and social engineering are the main attacks against businesses. These will not spare ERISA plans either.
The best first step to mitigate ransomware and social engineering from a business level is to acknowledge these are a risk in the first place and have a plan. I tell many of my clients that companies learn cybersecurity usually by one of two ways: proactive planning or pain. Being curious and acknowledging that cybersecurity threats are a risk when the business chooses to use modern IT in their businesses is the best first step a company can take.
Zagrobski: Why are health and welfare plans now included under the Department of Labor’s (DOL) updated cybersecurity guidance, and how does this affect plan sponsors?
Becker: While I can’t speak for the DOL, it’s likely the Department considered several factors: the vast number of individuals covered by these plans (around 153 million), the substantial assets involved (over $14 trillion), and being mindful of the rising cyber threats, industry-wide losses, and major breaches like those at Anthem and Equifax. Considering all this, they likely deemed it necessary to proactively include health and welfare plans in their scope.
Plan sponsors must now consider cybersecurity programs as a part of their fiduciary and operational duties. Thus, sponsors need to follow the foundational guidance from the DOL and educate themselves on cybersecurity risk, specifically third-party risk management.
Zagrobski: What potential legal risks do plan sponsors face if they fail to implement adequate cybersecurity measures?
Becker: To be up front, I am not a lawyer, but in all breaches, there’s usually the discovery, the recovery, the remediation, then the fallout period. The first three are operational, the latter is legal. The legal ramifications usually are for an applicable incident:
1. Prepare for fines
2. Prepare for litigation (e.g. Class Action)
3. Prepare for Public Relations Work
As risk management and cybersecurity professionals, our objective is to offer comprehensive guidance on cybersecurity strategies at all stages: before, during, and after an incident. Our aim is to identify the optimal balance—what we call the “Goldilocks zone”—of risk management, mitigation, transfer, and acceptance, aligning with the plan sponsors’ goals and their financial and risk appetite.
Zagrobski: What specific best practices does the DOL recommend for cybersecurity programs in ERISA-governed plans?
Becker: Since the Department of Labor is seeing untenable losses by cybersecurity and social engineering, it is mandating a cybersecurity framework that plan providers must follow. This is similar to what HHS is doing with HIPAA and DOT with Critical Infrastructure. The specific best practices which come to mind are “have a plan, define and assign responsibilities, and get checked out.” There are other important technical processes, but the foundational ones all revolve around making sure you know your “why,” have a “what” and a “who” for a cybersecurity program.
Zagrobski: Bryan, research by the National Cyber Security Alliance found that more than 70% of cyberattacks target small or medium-sized businesses, and 60% of those attacked went out of business within six months. If that’s the case and these companies do not have resources in place, what is one recommendation you would give to small companies?
Becker: The main recommendation I would put into place is to set up multi-factor authentication and do training on why this is important. Most breaches are caused by human factors combined with phishing and/or a lack of training. The best way for SMBs to make it harder to be breached is to minimize the primary way to attack them, which is through trying to steal or get in through a password.
Zagrobski: There has been an evolution of fraud over the last decade. Ten years ago, we saw the rise of advanced persistent threats, and then it moved to ransomware. Today I imagine artificial intelligence (AI) must be a big cybersecurity threat?
Becker: AI is a threat, yes, and will continue to be used by bad actors for nefarious gains. Where I’m seeing AI being used is with making better phishing and social engineering attacks. One of the key giveaways for phishing is poor grammar and AI can eliminate that quickly. With social media and generative AI, the attackers can raise the floor of their quality of attacks and make it more personable and believable making it harder for line-workers to identify it. AI is and will be great at creating deepfakes which will be used for fake voice messages and other ways.
Zagrobski: As someone in the business, is there a fraud that you have personally fallen for that you have found especially threatening?
Becker: I once was in an organization which had a vendor breached and they were attempting to perform a business email compromise (BEC) and redirect payment. It took a bit because the attacker was very deliberate and was really working the con. Once I called the person and asked about the messages, we found out that they had performed some great obfuscation and “hiding” emails within their mailbox. BEC is one of those processes which accounting teams and managers really need to know about their vendors and their internal processes for on-boarding, AP/AR, and treasury management.
Zagrobski: We work with retirees and focus on securing retirement. How big of a threat is elderly fraud in your field? What advice can you give family members to help protect their loved ones?
Becker: There’s a common saying in cybersecurity: “Why do bank robbers rob banks? That’s where the money is.” Unfortunately, the reason why the elderly are commonly targeted with voice calls, impersonation scams, romance scams, and investment scams is that attackers are successful and they profit from it. The best advice I can give that I told my late grandparents and my mom is to “do not trust anyone who calls or emails you when you don’t expect it.” I would recommend you educate your elderly loved ones on common scams, monitor their financial accounts and go over their transactions with them, and call them often to check in.
Alyssa Zagrobski, AIF, CPFA, is the Director of Retirement Plan Services at Shelton Capital Management, a Denver-based boutique investment firm that helps investors meet financial goals through tailored solutions and human-centric customer service. Founded in 1985, the company provides mutual funds and separately managed accounts to the clients of wealth managers, retirement plans, and individual investors. For more information, visit www.sheltoncap.com.
Bryan Becker is an accomplished IT executive with over 20 years of visionary leadership experience. He has a proven track record of catalyzing enterprise-level transformation to maximize organizational growth and success. As a CIO, CISO, and VP of Information Technology, Bryan has built and maintained top-level oversight of multiple teams, including Service Desk, Infrastructure teams, Enterprise Applications, Cybersecurity, Data Engineering, and Business Intelligence. His company can be found at www.classiv.com.
Important Information
Nothing in this Q&A constitutes investment advice. Any projections or other forward-looking statements regarding future events or otherwise are not necessarily indicative or differ from, actual events or results. Bryan Becker is not affiliated with Shelton Capital Management and the opinions and statements of Mr. Becker are his views alone and should not be taken as those of Shelton Capital Management.
SEE ALSO:
• EBSA Updates Cybersecurity Guidance for Plan Sponsors and Fiduciaries
• Crypto Usage Represents Less than 1% of DC Plan Investments
Alyssa Zagrobski, AIF, CPFA, is Director of Retirement Plan Services at Denver-based Shelton Capital Management. Shelton Capital Management is a multi-strategy asset manager offering investment solutions including mutual funds and separate accounts to the clients of wealth managers, the retirement plan market, and individual investors.
