In Practice September 3, 2024

Cybersecurity Best Practices for Retirement Plans

The game is continually evolving for keeping plan data and systems safe. In this special coverage article, experts discuss how plan fiduciaries can stay up to speed.
Reported by
Art by Giulio Bonasera

It’s a cybersecurity jungle out there. Plan sponsors must defend against participant impersonation, account takeovers, hackers and phishers. And it’s getting worse: Artificial intelligence deepfakes, including fraudulent correspondence, voice impersonations and videos are hitting financial institutions and their customers.

There is no single solution for managing these threats, especially as AI-based methods continue to evolve. However, plan advisers and their sponsor clients can implement cybersecurity plans that will help keep the bad guys at bay.

For more stories like this, sign up for the PLANADVISERdash daily newsletter.

Cover The Essentials

Marino Monti, Voya Financial’s chief information security officer, says cybersecurity ultimately comes down to people, processes and technology.

He notes that: People need ongoing training and tools to stop fraud. Plans need controls and standards that they regularly review and update. Technology is constantly evolving, and sponsors need insights and data protection. They also need basic resiliency.

“When a breach happens, how resilient are you?” he asks. “Do you have a backup plan? Can you recover? What’s your incident response plan?”

The SPARK [Society of Professional Asset Managers and Recordkeepers] Institute’s “Plan Sponsor & Advisor Guide to Cybersecurity; SPARK Data Security Best Practices: Seventeen Control Objectives” addresses these issues and more. SPARK provides guidance on multiple aspects of a cybersecurity program, with components organized by objectives and control benchmarks. These objectives include security policy, asset control, access control, operational/business resiliency, vendor management and cloud security.

Per the publication: “These control objectives are consistent with and aligned to the Department of Labor Cybersecurity Program Best Practices (April 2021) and satisfy the requirement for ‘Reliable Annual Third-Party Audit of Security Controls’ as applied to recordkeepers.”

The Department of Labor’s list of cybersecurity best practices is helpful, but Scott Carroll, a senior consultant with plan consultants Agilis, suggests sponsors go beyond the DOL’s recommendations.

Carroll says plan committees should consider adding information technology representation to educate the committee, ensure company policies are being followed and ask the right questions to vendors. Should the committee face an audit or investigation, it is helpful to have a member who can demonstrate that the committee understood the relevant risks and plan policies.

Carroll maintains sponsors should also take an active role when conducting cybersecurity reviews. The review should be more than simply having the recordkeeper provide a 30-minute overview at a committee meeting, he says: “Take ownership of the process, including issuing a questionnaire to your vendors. In cases where IT is not represented on the committee, it is valuable to have them report their findings to the committee as part of the periodic review, and this often prompts some discussion on having IT representation on the committee.”

Nick Brezinski, the director of information security and network with CAPTRUST, recommends that sponsors take multiple steps to implement cybersecurity best practices. The first step is to provide regular employee training to create a robust awareness of the problem and the procedures employees should follow. Certifying employees annually with ongoing training helps maintain a defensive posture.

Rigorous due diligence on vendors is another critical step, as is having a third party review and assess the sponsor’s cybersecurity efforts. That review will result in a detailed list of any problem areas, with suggestions to close the gaps, whether by implementing technology, updating a process or removing a process, says Brezinski.

The fourth step is implementing a robust access control policy, including enforcing least-privilege access in any instance where it is available.

Sponsors need to make sure they “have a well-defined incident response plan,” Brezinski adds. “Security incidents will happen, and we should be prepared for them. But technical outages like losing an internet circuit or some sort of hardware could take down your infrastructure, causing loss of facilities.”

Recognizing the AI Threat

Recent media reports have described the use of generative AI to commit financial fraud against banks and businesses. Given the large amount of money in retirement plans, they will likely face similar threats soon, if they have not already, says Matthew Corwin, a managing director at Guidepost Solutions, a security, compliance and investigations firm. Corwin explains that the exposures can originate throughout a plan’s financial ecosystem, including third-party vendors, affiliates, advisers and participants.

“Keep in mind that those generative AI risks can take the form of everything from voice and video spoofing to AI-generated financial documents and statements, other identity verifications, IDs, including government issued IDs,” notes Corwin. “All of these things, to some extent, existed prior to the current AI boom. But the AI we’ve seen has enabled some of these cybercriminals to produce increasingly sophisticated … attacks.”

In the wrong hands, AI capabilities increase the risk of identity theft and account takeover, says Kimberly Sutherland, vice president of fraud and identity strategy at LexisNexis Risk Solutions.

“Having a bad actor either stealing information or gaining unauthorized access is going to be the biggest threat as people are trying to save money in their plans,” she says.

Sutherland believes it is going to “take AI to fight AI.”

“We are seeing the importance of having adaptive fraud model and adaptive risk signals—the days of static approaches will continue to lessen,” she says. “Adaptive solutions that will be AI- driven will help fight against AI fraud attacks.”

For example, behavioral biometric intelligence uses technology and methodologies to analyze and authenticate individuals based on how they interact with digital devices. According to search engine Perplexity AI, this approach leverages artificial intelligence and machine learning to monitor and analyze various parameters of user behavior continuously, distinguishing legitimate users from potential fraudsters.

Compliance September 3, 2024

Keys to Guarding Retirement Plan Data Against Human Error

Mistakes managing employer-sponsored plan data often expose vulnerabilities that can be exploited by bad actors.
Reported by
Art by Giulio Bonasera

As the digital age evolves, so too do the risks that threaten the security of employer-sponsored retirement plans and their data. Human error within organizations poses a significant risk, as hackers are adept at taking advantage of these vulnerabilities. Understanding and mitigating these risks is therefore crucial for plan sponsors, recordkeepers and participants alike.

Frank Bitzer, national director of ERISA consulting at Marsh McLennan Agency, says that in the current economic climate, with discussions of recession in and out of the news, many companies are starting to cut back on their security budgets.

Want the latest retirement plan adviser news and insights? Sign up for PLANADVISER newsletters.

“They’re trying to wash their nickels and dimes,” he says. “Unfortunately, sometimes they will cut back expenses in IT, in security, software services and monitoring services. That’s where you will see human errors.”

Errors by service providers are not uncommon, and the quality of these providers can vary significantly, according to Bitzer. While some employees excel in their roles, others fall short, potentially failing to deliver on their promises to meet recommended security standards. This inconsistency can lead to vulnerabilities, as individuals may misunderstand their tasks, neglect to ask critical questions or overlook warning signs.

Chris Bellomo, EY’s Americas retirement income leader, notes that every individual handling retirement plan data introduces a potential risk.

“Human error situations often arise when there are lapses in controls during manual processes, insufficient identity access management … a lack of awareness about data risks, and widespread, unmanageable data distribution across the enterprise,” he says.

Bellomo urges plan advisers to be proactive in helping their plan sponsor clients prevent human error-related security incidents. This requires the design and establishment of a robust data governance and controls program with clearly defined access controls across all processes and reports.

Plan fiduciaries should also consider investing more in automating tasks that use personal data and make sure all data is encrypted from start to finish for better security. Additionally, training and awareness about appropriate use of data continue to be critical.

Bad Actors

“We’ve seen cases of human error where money has been lost,” Bitzer says. “It’s been sent to the wrong account because somebody fat-fingered the account numbers or the transfer numbers in the system, but those can usually be resolved.”

Financial institutions can trace the error, contact the receiving party and work to correct it. Since these errors can happen to any institution, there is generally a spirit of cooperation when it comes to resolving them. Additionally, sometimes it is a member of the financial institution that made the initial mistake.

“Human error, in and of itself, usually isn’t going to cause somebody to steal your money,” Bitzer says. “That involves an intent by an acting person, and that’s your hacker on the other end. […] These hackers are very, very good. They know how to spot these vulnerabilities. Once they spot them, they will exploit them.”

He recounts a case from late 2023 in which a woman discovered that $800,000 had been drained from her individual retirement account. Arguing with her bank and trustee, she delayed contacting the FBI or IRS. By the time her service providers convinced her to involve the authorities, the money was already gone, and they have yet to be able to recover it.

Bitzer says part of the issue stemmed from human error, such as the woman’s lax maintenance of her online security and passwords. Additionally, the financial institution that held her IRA experienced a breach in its firewalls. Litigation is likely, if not already, underway. The critical mistake, however, was the delay in involving the FBI and recovering the funds.

“FBI first, finger-pointing second,” Bitzer says.

Increased Threat

Abhishek Madhok, EY Americas’ insurance cybersecurity leader, notes that “exposure of personal identifiable information data to bad actors presents a heightened risk to the near- and in-retirement participants, as elder fraud has increased significantly due to larger average account balances.”

Fraudsters are now leveraging artificial intelligence to conduct more sophisticated fraud attempts, using PII data that has been leaked or sold on the dark web, Madhok says. This technological advancement in cybercrime underscores the need for increased vigilance.

Jay Gepfert, a founding partner in advisory consultant Culpepper RFP, says more than 65% of data breaches stem from individuals unknowingly falling prey to hacking schemes. Once information is provided to hackers, they are able to gain greater access to the individual’s information or possibly that of the sponsor or service provider.

Since most hacking issues arise with recordkeepers and third-party administrators, as they hold sensitive personal information, a data breach into an individual account could create the opportunity for an unauthorized distribution, according to Gepfert.

Gepfert says many recordkeepers have guaranteed data security, but those promises are based on participants logging into their account on a frequent basis and changing their login information. If the frequency is not kept up, the guarantee is not valid. 

“Plan sponsors, like any organization, have to remain diligent to educate and train the employees and participants on the common methods that bad actors are trying to gain access to retirement accounts and other personal accounts,” Gepfert says. “A piece of the DOL cyber guidance centers around the ongoing education to participants to keep them abreast of the things they can do to protect themselves.”

«