Cybersecurity Best Practices for Retirement Plans

It’s a cybersecurity jungle out there. Plan sponsors must defend against participant impersonation, account takeovers, hackers and phishers. And it’s getting worse: Artificial intelligence deepfakes, including fraudulent correspondence, voice impersonations and videos are hitting financial institutions and their customers.

There is no single solution for managing these threats, especially as AI-based methods continue to evolve. However, plan advisers and their sponsor clients can implement cybersecurity plans that will help keep the bad guys at bay.

Cover The Essentials

Marino Monti, Voya Financial’s chief information security officer, says cybersecurity ultimately comes down to people, processes and technology.

He notes that: People need ongoing training and tools to stop fraud. Plans need controls and standards that they regularly review and update. Technology is constantly evolving, and sponsors need insights and data protection. They also need basic resiliency.

“When a breach happens, how resilient are you?” he asks. “Do you have a backup plan? Can you recover? What’s your incident response plan?”

The SPARK [Society of Professional Asset Managers and Recordkeepers] Institute’s “Plan Sponsor & Advisor Guide to Cybersecurity; SPARK Data Security Best Practices: Seventeen Control Objectives” addresses these issues and more. SPARK provides guidance on multiple aspects of a cybersecurity program, with components organized by objectives and control benchmarks. These objectives include security policy, asset control, access control, operational/business resiliency, vendor management and cloud security.

Per the publication: “These control objectives are consistent with and aligned to the Department of Labor Cybersecurity Program Best Practices (April 2021) and satisfy the requirement for ‘Reliable Annual Third-Party Audit of Security Controls’ as applied to recordkeepers.”

The Department of Labor’s list of cybersecurity best practices is helpful, but Scott Carroll, a senior consultant with plan consultants Agilis, suggests sponsors go beyond the DOL’s recommendations.

Carroll says plan committees should consider adding information technology representation to educate the committee, ensure company policies are being followed and ask the right questions to vendors. Should the committee face an audit or investigation, it is helpful to have a member who can demonstrate that the committee understood the relevant risks and plan policies.

Carroll maintains sponsors should also take an active role when conducting cybersecurity reviews. The review should be more than simply having the recordkeeper provide a 30-minute overview at a committee meeting, he says: “Take ownership of the process, including issuing a questionnaire to your vendors. In cases where IT is not represented on the committee, it is valuable to have them report their findings to the committee as part of the periodic review, and this often prompts some discussion on having IT representation on the committee.”

Nick Brezinski, the director of information security and network with CAPTRUST, recommends that sponsors take multiple steps to implement cybersecurity best practices. The first step is to provide regular employee training to create a robust awareness of the problem and the procedures employees should follow. Certifying employees annually with ongoing training helps maintain a defensive posture.

Rigorous due diligence on vendors is another critical step, as is having a third party review and assess the sponsor’s cybersecurity efforts. That review will result in a detailed list of any problem areas, with suggestions to close the gaps, whether by implementing technology, updating a process or removing a process, says Brezinski.

The fourth step is implementing a robust access control policy, including enforcing least-privilege access in any instance where it is available.

Sponsors need to make sure they “have a well-defined incident response plan,” Brezinski adds. “Security incidents will happen, and we should be prepared for them. But technical outages like losing an internet circuit or some sort of hardware could take down your infrastructure, causing loss of facilities.”

Recognizing the AI Threat

Recent media reports have described the use of generative AI to commit financial fraud against banks and businesses. Given the large amount of money in retirement plans, they will likely face similar threats soon, if they have not already, says Matthew Corwin, a managing director at Guidepost Solutions, a security, compliance and investigations firm. Corwin explains that the exposures can originate throughout a plan’s financial ecosystem, including third-party vendors, affiliates, advisers and participants.

“Keep in mind that those generative AI risks can take the form of everything from voice and video spoofing to AI-generated financial documents and statements, other identity verifications, IDs, including government issued IDs,” notes Corwin. “All of these things, to some extent, existed prior to the current AI boom. But the AI we’ve seen has enabled some of these cybercriminals to produce increasingly sophisticated … attacks.”

In the wrong hands, AI capabilities increase the risk of identity theft and account takeover, says Kimberly Sutherland, vice president of fraud and identity strategy at LexisNexis Risk Solutions.

“Having a bad actor either stealing information or gaining unauthorized access is going to be the biggest threat as people are trying to save money in their plans,” she says.

Sutherland believes it is going to “take AI to fight AI.”

“We are seeing the importance of having adaptive fraud model and adaptive risk signals—the days of static approaches will continue to lessen,” she says. “Adaptive solutions that will be AI- driven will help fight against AI fraud attacks.”

For example, behavioral biometric intelligence uses technology and methodologies to analyze and authenticate individuals based on how they interact with digital devices. According to search engine Perplexity AI, this approach leverages artificial intelligence and machine learning to monitor and analyze various parameters of user behavior continuously, distinguishing legitimate users from potential fraudsters.