Experts: More Hackers Going After Retirement Savings

Cybersecurity experts say they see an increase in theft of participant data from retirement plans, and warn about scams in cryptocurrency investments.

Employer retirement accounts are facing increasingly sophisticated attacks by hackers looking to get a slice of worker savings, and cryptocurrency investing is particularly at risk for scams, according to two financial-focused cybersecurity experts.

“We’re seeing a significant increase in the hackers getting access to these retirement assets,” Brian Edelman, CEO of cybersecurity protection firm FCI, said during CNBC’s Financial Advisor Summit on Tuesday. “We’re out there protecting them on the investment side, but we need to also manage the data—if a hacker gets at the retirement assets, then there is nothing left to manage.”

Edelman said during a panel discussion called “Securing Your Savings” that criminals will use a corporate email hack to intercept a conversation between a retirement plan saver and a plan administrator. They then try to get the participant to divert savings to a separate account run by the criminal.

Gregory Wilson, chief information security officer for Putnam Investments, said he has seen an increase in phishing attacks in which hackers send a fake message to take over an account and steal the assets. If these types of attacks are not stopped, there is a very short window of time for authorities to get the money back, according to Wilson.

“You need to get [the money] back in two days; otherwise, the ability to get those funds back drops significantly,” he said.

Both experts said fiduciaries for retirement plans should be well versed in guidance the U.S. Department of Labor put out last year on cybersecurity for retirement benefits. The guidance provides both best practices for ERISA-covered retirement plans and guidance on how to select a service provider with strong cybersecurity practices.

Wilson of Putnam said that while it is important for fiduciaries to follow the DOL guidelines, they should understand those guidelines are just a foundation to build on for the specific circumstances of a plan administrator.

“That is going to be the standard they are held to if something goes wrong,” Wilson said. “The thought is often to do the absolute minimum, but if something goes wrong, there are penalties, fines and institutional risk that comes into play. [Fiduciaries] need to do everything they can to entrust the assets.”

Crypto Concerns

Cryptocurrency investing, as a largely unregulated area, is particularly susceptible to cyberattacks, according to FIC’s Edelman.

“The bad actors have the ability to get into the system,” Edelman said. “It’s important to have encryption in place and a security professional who can help secure those assets.”

Cryptocurrency, while not prevalent in retirement plans, is available in some 401(k) plans and has been marked as a concern by the DOL.

On Monday, cybersecurity firm Privacy Affairs put out a study showing that cryptocurrency investors lost a combined $3.5 billion in 2022 to scams or “rug pulls,” in which a developer attracts investors and then runs away with the assets before the project is complete.

Meanwhile, the collapse of cryptocurrency exchange FTX has regulators calling for more enforcement on digital assets, and Certified Financial Planner Board of Standards, Inc. issued on Monday a new guide on cryptocurrency-related asset management.

Wilson of Putnam says that at his firm, he conducts “tabletop exercises” in which a specific financial scam is set up, and teams work on them as if they were actually happening. He once had the FBI come in to run a scenario in which even he did not know the setup, he said.

Wilson noted that one of the biggest issues arises when a decision-maker is unavailable, and the company cannot act quickly. It’s important, he said, to have an active chain of command to mitigate that risk.

“Murphy’s Law says that when something goes boom, the person you need won’t be available,” he said. “You don’t want to be holding the bag without a way to contact that person.”