Cybersecurity Threats Rising

Nearly one-third of retirement plan recordkeepers expect to increase their cybersecurity staff, according to a recent survey.
The threat of retirement account fraud has increased in recent years, particularly during the remote work environment, according to findings from the 2021 Cerulli Edge U.S. Retirement Edition. As a result, 31 percent of plan recordkeepers intend to increase staffing to address cybersecurity initiatives. 

According to the Cerulli report, the Internet Crime Control Complaint Center of the Federal Bureau of Investigation reported 791,790 cybercrime complaints in 2020—a 69 percent jump in total complaints from 2019. Cybersecurity crimes in 2020 resulted in financial losses exceeding $4 billion. Although many recordkeepers haven’t experienced a data breach yet, many believe it’s just a matter of time as techniques employed by cybercriminals get more sophisticated. One fraud surveillance expert at a large defined contribution (DC) recordkeeper suggested to Cerulli that older participants tend to be the most frequent targets of cyberattacks, in part because they typically have higher account balances than younger employees, but also because criminals perceive them to be less technologically savvy.

Implementing new technologies, including biometric login credentials such as thumbprints or facial recognition, is one part of building an effective cybersecurity practice. Cerulli suggests that providers should play an active role in encouraging participants to adopt these technologies and enhance the security of their accounts and personal information on their own. Moreover, recordkeepers should look to evaluate the cybersecurity practices of the service providers with which they exchange or share participant data.

In April 2021, the U.S. Department of Labor (DOL) released cybersecurity guidance for recordkeepers, plan fiduciaries, and participants. The guidance includes tips for plan sponsors to evaluate the cybersecurity practices of recordkeepers and other retirement plan service providers, along with tips plan sponsors and service providers should relay to plan participants. (In June 2021, the DOL began conducting retirement plan cybersecurity audits.) In addition, the SPARK Institute published cybersecurity best practices last year that provide specific recommendations for mitigating retirement account fraud. The report offers suggested practices to be implemented by plan fiduciaries, participants, and service providers with regard to authenticating accounts, establishing and reestablishing account access, protecting contact data and communications, conducting fraud surveillance, and developing custom reimbursement policies.

Action item: Talk with your current recordkeeper provider(s) and ask them about their cybersecurity policies and procedures.

Web Resources for Plan Sponsors