Nearly one-third (31%) of retirement plan recordkeepers expect to increase their cybersecurity staff, according to the latest Cerulli Edge—U.S. Retirement Edition.
Industry stakeholders suggest the threat of retirement account fraud has increased in recent years, particularly during the remote work environment, Cerulli Associates says. And, even though the majority of recordkeepers act in a non-fiduciary capacity, Cerulli points out that courts have suggested that cybersecurity is a shared responsibility.
According to the Cerulli report, the Internet Crime Control Complaint Center (IC3) of the Federal Bureau of Investigation reports 791,790 cybercrime complaints in 2020—a 69% spike in total complaints from 2019—resulting in financial losses of more than $4 billion. “We haven’t had a data breach yet, but the stakes are getting higher…the techniques employed by cybercriminals are getting more sophisticated, particularly as we start to see more of this government-sponsored hacking,” one recordkeeper told Cerulli.
Few recordkeepers identified cybersecurity capabilities as a key differentiator when it comes to winning new defined contribution (DC) retirement plan business; however, more than three-quarters of retirement specialist advisers indicated cybersecurity is a very important factor when selecting a recordkeeper. This tied for second place with “website functionality and usability” (79%), just behind “investments available on the recordkeeping platform” (81%). Yet, less than two-thirds of small-to-mid-sized plan advisers have a formal written process for conducting due diligence on recordkeepers’ fraud prevention practices, according to Cerulli’s findings.
One fraud surveillance expert at a large DC recordkeeper suggested to Cerulli that older participants tend to be the most frequent targets for cyberattacks, partly because they typically have higher account balances than their younger cohorts, but also because criminals may perceive them to be less technologically savvy than younger participants. “Recently we’ve been seeing one scam where an older participant receives a pop up on their computer telling them there is something wrong with their account and offers a phone number to call, and when the participant calls, they aren’t getting their financial institution on the other end of the line, it’s the criminal,” the fraud surveillance expert said.
On the other hand, one Employee Retirement Income Security Act (ERISA) attorney suggested insider threats (i.e., employees of the service provider firm with direct access to participant account information) could be the most dangerous source of retirement account fraud. Cerulli suggests that recordkeepers not only address their own cybersecurity practices, but also evaluate the cybersecurity practices of the service providers with whom they exchange or share participant data.
In April, the Department of Labor (DOL) released cybersecurity guidance for recordkeepers, plan fiduciaries and participants. The guidance includes tips for plan sponsors to evaluate the cybersecurity practices of recordkeepers and other retirement plan service providers and tips plan sponsors and/or service providers should relay to plan participants for their part in keeping their accounts safe. The DOL has begun retirement plan cybersecurity audits.
In July, the SPARK Institute published cybersecurity best practices, which lay out specific recommendations for mitigating retirement account fraud. The report offers suggested practices to be implemented by plan fiduciaries, participants and service providers with regard to account authentication, establishing account access, re-establishing account access, contact data, communications, fraud surveillance and custom reimbursement policies.