Cybersecurity or Insecurity? Learn how to protect your 401(k) clients from cyberattacks
by Craig Rosenthal
Mar 09, 2022
The digital age has graced the 401(k) industry with its presence, gifting us with daily recordkeeping, investment tools, auto-features, e-delivery and more. But it is beginning to show another face and retirement plan advisors may be unprepared to deal with the consequences – cyberattacks.
Some of the most prevalent cybersecurity threats to retirement plans, fiduciaries and participants include:
- Monetary theft
- Stolen identity
- Loan fraud
- Rollover check interception
- Ransomware (blackmail)
- Malware (software attacks for information)
- Phishing (suspicious emails and links)
Since retirement plan accounts contain not only assets but lots of personal data, they are a very attractive target to cyber attackers.
With 1 in 2 of all organizations encountering some sort of ransomware-related activity during 2021, cybersecurity is becoming a very real threat to companies – especially those that handle assets like 401(k) savings.
Cyber insecurity is a serious problem. Only 76% of RIAs hold cyber insurance, leaving 24% unprotected in case of breach in addition to being exposed to these threats. Of those with cyber insurance, the median coverage amount is only $1 million. These assets and the personal information that come along with are even more vulnerable due to the numerous parties collaborating on them, from recordkeepers to payroll companies to TPAs to plan sponsors and everyone else in between.
Fighting the Cyber Battle
To combat these online threats, start by asking questions. Open discussions with all of your service providers about encryption, user authentication, privacy protection and other procedures they are implementing to ensure your retirement plan client’s data is safe. Here are some great conversation starters:
- Do any of your data-collection methods potentially increase your risk of a breach? (e.g. When onboarding a new client, how do you collect census data? If it’s an Excel spreadsheet, ask how it is protected.)
- What are your internal data-flow processes? Is there a certain level of authorization required for sensitive data access? (e.g. Such as multi-factor authentication.)
- Who do you share data with and how do you determine third-party authorization? (e.g. Is there a vetting process for vendor management?)
- Is encryption necessary for your data to be protected, if you haven’t already done so?
- What are your procedures in the event of a security breach? Do you have a SOC Audit policy?
- Do you/should you have cyber insurance? What is covered? What are the policy limits? Why or why not?
Look for confident, evidence-based answers from your service providers, along with clear standards, procedures and documentation.
Continuing the Conversation
Now that everyone’s aware of the possible threats to plan assets and data, how can advisors and employers continuously stand guard? The answer lies within a comprehensive understanding across all parties involved, from advisor to provider to participant. Everyone should complete their cybersecurity training and adhere to a best practice guide like the one below.
Cybersecurity Best Practices Guide for the 401(k) Industry
- Routinely monitor online account activity
- Use multi-factor authentication
- Use strong, unique passwords
- Follow set procedures for authorization and security
- Complete cybersecurity training
- Clearly define communication, roles and responsibilities
- Conduct regular audits and protocol reviews
- Create and know account recovery strategies
In today’s digital age, cybersecurity is more important than ever. Hackers are finding new ways to steal data every day, so it’s essential that your business has a plan in place to protect itself. Unfortunately, many businesses don’t have the resources or knowledge to create an effective cybersecurity strategy.
Craig Rosenthal, Head of Strategy and Chief Marketing Officer
Craig is Head of Strategy and Chief Marketing Officer for Fiduciary Decisions. In this role, he is responsible for driving Product and Partnership strategy as well as the overall messaging and marketing for the firm.