As the retirement industry moves toward more personalization for participants to plan and save, the chance for “bad actors” to gain access to their information also increases, according to financial cybersecurity experts.
With increased emphasis on customized financial education for participants, wellness and asset management, advisers must be equally careful to ensure that the service providers they are recommending have the highest levels of cybersecurity, says Brian Edelman, CEO of cybersecurity protection firm FCI Cyber Inc.
“The more nonpublic information that participants share [with recordkeepers or financial advisers], the more susceptible the participants are to hackers using that information,” Edelman says. “If hackers can use the information to trick the plan administrator into making a distribution of plan assets, then they are drawing from a very large pool.”
The retirement industry is ramping up customization efforts even as consumers express concern for the protection of their personal information. In a recent survey, analytics and software provider FICO revealed the top consideration for opening a new financial account was “good fraud protection,” at 33.1% of respondents, followed by “ease of use” and then “good value for money.”
“Increased personalization means we all need to view cybersecurity as a responsibility,” says Ben Rizzuto, a retirement director at Janus Henderson Investors. “Recordkeepers need to have technology and training in place. Plan sponsors and advisers need to have good processes in place, including hiring and reviewing service providers, along with educating participants on the importance of cybersecurity.”
Participants also need to be informed that security succeeds due to their efforts, Rizzuto says. “They need to make sure their contact information is up to date with the recordkeeper and that they’ve set up things like two-factor authentication.”
Edelman of FCI says his firm is seeing an “alarming” number of fraudsters acting like participants to get distributions from retirement plans, particularly defined benefit plans, which may be less frequently monitored than defined contribution plans. He says that one immediate thing providers, advisers and plan sponsors can do is separate informational email from the communication used for cash distributions.
“If you want to send out a communication, educational content, or other things like that, then you have to have a well thought through strategy,” he says. “Use a different email – one that is separate from the money – unless you want to show the bad actors how to get access to the funds.”
More broadly, Edelman says, advisers must be vetting retirement plan recordkeepers and third-party administrators to ensure they are using best cybersecurity practices. That means asking questions, observing how they manage their services and bringing in an expert, if necessary.
“If I’m using a TPA, I’m going to ask for a layer of evidence that they have a cyber program, that they went through a risk assessment, and that when I log into their systems that they are using multi-factor authentication, encrypted email, etc. and that I can’t just get access to data without security,” he says.
Dennis Lamm, head of customer protection for Fidelity Investments, says its important to take a close look at how providers authenticate and validate transactions, both in the digital and live voice channels.
Just a Suggestion
Regulators including the Securities and Exchange Commission, Financial Industry Regulatory Authority and New York Department of Financial Services are all looking closely at cybersecurity measures and implementing best practices as threats evolve, says FCI’s Edelman. But there is still a gap, he says, in in terms of governance of retirement plan participants, with the U.S. Department of Labor last issuing guidance in April 2021.
Even with those guidelines in place, it can be difficult for plan advisers to vet providers on cybersecurity policy, as most don’t have the resources or expertise, says Jay Gepfert, CEO of DOL Cybersecurity, LLC, which provides third-party evaluation on the DOL’s cybersecurity guidelines.
“In my discussions with advisers, most are very uncomfortable getting too deep into the discussion, as they are not experts,” Gepfert wrote in an emailed response. “We suggest that during any RFI/RFP or periodic review that the adviser include a specific section of questions about cyber policies, breaches and contract provisions.”
Gepfert recommends that advisers ask what cybersecurity controls the recordkeeper has in place; if it has a package of information that addresses the DOL guidance; if it has completed any assessments and come back with deficiencies; and what contractual obligations it has in place to cover a breach and loss of assets.
All of these safety measures are more important than ever as the threat of exposure for recordkeepers and sponsors “continues to grow due to self-service web features and mobile technologies,” Gepfert said. “The main cause of cyber breaches remains human error. Sponsors and recordkeepers need to realize that the battle of cyber is an ongoing process, not a one-and-done solution.”
Rizzuto of Janus Henderson says, among other precautions, advisers should understand how suspicious activity is flagged, as well as training customer service personnel on cybersecurity threats and warnings.
“In most of the cases we’ve seen where participant assets have been stolen, such as Abbott Labs, Estee Lauder and others, it’s simply been because an imposter is able to call into a recordkeeper service center and talk the representative into giving them information to access the account,” Rizzuto said. “It’s not as if the cybercriminal has created some amazing hacking software that can get through all the technical walls. No, it’s just that they got the right person on the phone and were able to persuade them to give them a piece of information which then allows them to access the account.”
FCI’s Edelman says there continue to be developments in the field to stop hacks. These include using more centralized systems with embedded safety precautions instead of emails. He points to the wealth management industry software provider Docupace. Last year, it acquired PreciseFP, a data gathering and client engagement solution for advisers that can gather information in a centralized way.
“So we’re starting to see centralized systems as opposed to email, and those systems require you to authenticate who you are (MFA),” he says. “There’s a layer of protection when you use a system like that.”
Lamm of Fidelity pointed advisers to another best practices resources, the “Data Security Reporting and Fraud Controls Best Practices” from recordkeeper industry trade group SPARK Institute. The guide was designed by advisers and recordkeepers, including Fidelity, Lamm said, and can be a resources as cybersecurity measures evolve.
“Today’s typical defined contribution account already includes sensitive personal data, such as contact, beneficiary, and bank account information, that must be protected,” Lamm said. “As we expand our digital offerings and offer a more personalized experience, digital security will continue to be a top priority.”