Being Cyber Aware
Last year, I flagged a data point in our annual PLANSPONSOR Defined Contribution Survey that surprised me. It said 98.8% of plan sponsors agreed with the statement “I am confident that sensitive participant data on our provider’s recordkeeping system is safe/secure from cyberthreats,” with 63% of respondents across all asset sizes saying they “strongly agree.”
It’s hard to make sense of that sentiment in this day of cybersecurity concerns—and of the perceived trust of recordkeeping providers that it shows. I wonder, does this mean plan sponsors are ignorant of the perceived threats, or just aware that there’s little they can do about the provider platform and how those vendors approach cybersecurity and safety?
Whatever the case, I think it shows a need for a greater attentiveness and focus on what can be done. It’s an opportunity for plan advisers to take stock of their own practice and educate plan sponsors about the need for vigilance.
Recently, one of the most viewed stories on our website discussed retirement plan theft at the participant level—specifically speaking to the role of the recordkeeper. A lawsuit was filed in the U.S. District Court for the Southern District of New York, in which a former global director for customer marketing at Colgate-Palmolive alleged that thieves depleted her entire account balance of approximately three-quarters of a million dollars. The lawsuit names the Colgate-Palmolive employee relations committee, plan recordkeeper Alight Solutions and custodian BNY Mellon all as defendants. While an egregious instance, it is not the only instance of money gone missing from a retirement plan.
Cybersecurity lapses can be costly for everyone involved. In the adviser space, last year, multiple Cetera entities were charged a combined $300,000 in fines and penalties for failures in their cybersecurity policies and procedures. These errors resulted in what the Securities and Exchange Commission described as “email account takeovers,” which exposed the personal information of thousands of customers and clients at each firm. Outside of the financial services industry, these attacks happen daily and indirectly affect us all.
Advisers can remember that their role regarding cybersecurity can encompass both helping plan sponsors ensure their plans and participants follow best practices and helping employees on their own advisory team do the same. In research from Tessian, 30% of employees said they don’t think they personally play a role in maintaining their company’s cybersecurity. But the truth is, everyone plays a role.
After all, most of the time the breaches are caused by human error. More than half (58%) of employees have sent an email to the wrong person at work, and one in four have clicked on a phishing email in their employee mailbox. While the Tessian research says 43% of people have made mistakes at their workplace that compromised cybersecurity, only 39% of employees said they’re very likely to report a security incident. If employees don’t report errors or security concerns, there are more likely to be problems and potential breaches and losses.
For those who don’t have this front and center at their firm or in client discussions, last year the Department of Labor’s Employee Benefits Security Administration issued new cybersecurity guidance for plan sponsors, fiduciaries, participants and recordkeepers—reminding everyone of the need to be vigilant about hiring and evaluating service providers, and their own online security practices.
It’s a reminder that advisers must be aware of the increasingly sophisticated cyberattacks and institute practices to ensure that their own firm, as well as clients and participants, do not become victims.