Cybercriminals Pose Threat via Executive Accounts

Frank Bitzer

Cybercriminals use computers to target the “top of the organizational pyramid” at workplaces, probing executives’ accounts for weak points, according to a cybersecurity expert focused on the employer-sponsored retirement plan market.

As news reports reinforce on an almost weekly basis, hackers can attack everything from internal databases to benefit plans. But while criminals may infiltrate a wide variety of corporate assets, defined contribution and pension plans are particularly attractive due to the significant sums of money involved, says Frank Bitzer, the national director of ERISA consulting at Marsh McLennan Agency.

“They know that top executives have authority and access to other accounts, and then they burrow down from there,” Bitzer says. “Once they’re in, they can go after everything.”.

These vulnerabilities may arise from easy-to-guess passwords, poor IT security practices or outdated firewalls, he notes. Once hackers gain access to an executive’s account, they can infiltrate the corporation’s broader systems.

“They prefer pension plans over individual 401(k) plans for the simple reason that pension plans have fewer accounts to break into,” Bitzer notes. “Once those accounts are broken into, there are larger dollar amounts seen in those accounts.”

But 401(k) accounts are not immune either. A common vulnerability lies in incomplete participant profiles, Bitzer warns.

Many employees fail to fill out their online 401(k) profiles or neglect to create strong, secure passwords. Hackers exploit these gaps, filling in missing information and locking participants out of their own accounts before siphoning funds through transfers or in-service distributions.

Global Scale

One of the key challenges facing cybersecurity professionals is the global nature of these attacks, Bitzer says. Hackers from regions including Russia, Southeast Asia, Africa and the Middle East are increasingly targeting U.S. corporations. Given their international origins, local, state and federal authorities face significant challenges in pursuing and prosecuting these attackers.

“They’re practically on every continent,” Bitzer says. “There are bases of hackers attacking American corporations.”

Contrary to popular belief, hackers do not always target only the largest corporations. While high-profile firms, particularly Fortune 500 companies, often find themselves in the crosshairs, smaller companies are just as vulnerable, he says. As with larger companies, many hackers try to exploit security weaknesses in key executives’ accounts.

Total DC assets provide a tempting pool of money, representing about $10.4 trillion in total, according to the 2024 Recordkeeping Survey by PLANSPONSOR, a sister publication of PLANADVISER. Meanwhile, vulnerability persists, as only 27% of plan sponsors had implemented a formal cybersecurity policy, according to the most recent Plan Sponsor Council of America’s “65th Annual Survey of Profit Sharing and 401(k) Plans,” which includes data from the 2022 plan year.

To combat these threats, Bitzer stresses the importance of proactive measures. He encourages participants to regularly check and complete their online 401(k) profiles, select strong passwords and monitor their accounts at least quarterly, if not monthly.

“I cannot stress enough that plan sponsors and service providers just have to beat this drum with a lot of consistency,” he says. “If you are a participant and you have an online account, please fill it out completely and monitor it.”

It is clear that hackers are becoming increasingly sophisticated in their approach to breaching corporate defenses, and no organization is too big or too small to be immune.