For more stories like this, sign up for the PLANADVISERdash daily newsletter.
401(k) World: Cyber Thieves
The fifth in our Planadviser In-Depth series delves into cybersecurity threats to retirement plan assets and the industry’s approach to combatting them.
With a quick Google search, anyone can get a sense of the massive amount of money in workplace retirement plans and individual retirement accounts.
What may be less known, but not too hard to figure out for hackers, is that retirement plans’ unique business model creates multiple potential openings for breaches, according to experts. Participants’ contributions and data often move through multiple organizations before reaching the financial institution serving as plan custodian.
Hackers attempting large-scale theft of plans’ funds or participants’ data is not the only risk. Social engineers targeting plan service reps and participants, particularly individual older participants with larger balances, are another exposure.
Several lawsuits alleging theft from participants’ accounts have attracted widespread publicity. In 2016, thieves stole $99,000 from a former participant’s account in Estée Lauder’s 401(k) plan. In 2022, an impostor transferred a Colgate-Palmolive plan participant’s entire $751,000 balance out of the plan without permission to a bank account the participant did not own.
These thefts were not direct hacks into the plans’ custodial accounts. Both involved using the participants’ data, combined with a lack of adequate safeguards—or failure to follow established safeguards—at the organizations responsible for handling plan distribution requests.
Private pension plans must file an annual Form 5500 or Form 5500-SF, which includes a question disclosing losses due to fraud or dishonesty. According to 2021 data, the most recent available, of the roughly 645,000 401(k) plans that filed, only 28 indicated fraud and dishonesty. Those plans reported losses from fraud of $4.9 million, though the nature of the fraud is unclear, since Form 5500 does not ask the source of the fraud.
Does this self-reporting method work in protecting retirement plan assets? David Donaldson, president and CEO of ERISA Smart, an ERISA-risk management firm in Ventura, California, and a former senior investigator for the DOL’s Employee Benefit Security Administration, is skeptical.
“It is my opinion that theft is often not disclosed when it should have been,” he wrote in an email response. “Most plan sponsors simply sign the 5500 without really understanding what they are signing.”
Donaldson maintains there is no way to grasp the number of participants who have become theft victims. “Most often these are quietly resolved and not made public,” he says. “It is very rare that the fidelity bond is used to cover theft of assets.”
Assessing the Risks
Sources for the article agreed that the custodian level is generally considered the most secure location for participants’ funds.
Marc Bleicher, chief technology officer at Surefire Cyber, a digital incident response and forensics company outside Washington, D.C., says financial institutions tend to have the best security and are “usually on top of emerging technology and security controls.” Bleicher is unaware of any electronic thefts directly from plans’ financial institutions and believes that stealing funds from those institutions “would be extremely difficult.”
But there have been breaches further down the line. 401(k) plans typically use a software “supply chain” connecting multiple vendors. A mid-2023 security breach of Pension Benefit Information LLC’s MOVEit software affected an estimated total of at least 2,000 organizations, including numerous companies in the U.S. retirement plan business.
The ransomware breach did not result in the immediate loss of plan participants’ funds, but the stolen data have monetary value. If the thieves sell the data, buyers could use it for identity fraud, subsequent hacking attempts and social engineering schemes. Social engineering cases pose a substantial risk for participants and plan service providers.
Roger Grimes, whose title is data-driven defense evangelist at KnowBe4, a security awareness training and phishing testing service in Clearwater, Florida, says that social engineering accounts for 70% to 90% of all successful hacking. Social engineers use stolen data to convince a plan participant or a call center rep that the engineer is who they claim to be (either by phone or email with participants).
The goal is to obtain additional information, such as a PIN or password, the thief can use to access the targeted account. Plan service centers can take steps to block thieves, but those barriers are not always foolproof. For example, voice recognition is one of the poorest authenticators, and it is often paired with a participant’s phone number, but Grimes notes that phone numbers can be faked.
“You wouldn’t want any service to rely upon voice verification alone,” Grimes says. “Even voice verification plus phone number is still in the realm of digital authentication among the weakest types.”
Locking Down
Grimes says there is no perfect technical defense against phishing; preventive education is the key. Plan administrators and participants need ongoing training about social engineering attempts coming at them from suspected phishers. Administrators also need policies that make it less likely that a social engineer will bypass safeguards and successfully impersonate a plan participant.
“You have to be really good about not bypassing [policies], because social engineers will try to appeal to your human empathy to get you to violate policies,” he explains.
ERISA Smart has developed its Participant I.D. software to help prevent fraudulent distributions like those in the Estée Lauder and Colgate-Palmolive thefts.
According to the company’s website, Participant I.D. takes a three-factor authentication approach: biometric facial recognition, government identification verification technology and an identity graph score. A proprietary algorithm uses artificial intelligence to create the risk score that helps determine the probability of fraudulent activity. Users can verify participants via their cell phones, with results delivered to the user within minutes.
The future may hold more friction for savers to enter their accounts, but it’s in the name of protecting, as Participant I.D. puts it, “the funds of hardworking Americans.”
The final installment of our Q1 PLANADVISER In-Depth series will consider the litigation that has influenced what it means to be a 401(k) fiduciary.
You Might Also Like:
UC Schools Report Fraudulent Activity in Fidelity Retirement Accounts
Fidelity Data Breach Exposed Info of 77,000 Clients
Quantifying Cybersecurity Risks
« Financial Services Institute, Peers Challenge DOL’s Independent Contractor Rule