Here are some helpful tips on cybersecurity to share with your staff.
By Theresa Conti
Cybersecurity is a big issue for all of us, not only in our business lives but also in our personal lives. It is truly one of those topics that keeps me up at night! It is such a big issue that in April 2021, the DOL published cybersecurity guidance for plan sponsors, plan fiduciaries, recordkeepers and plan participants. The guidance addressed three topic areas: tips for hiring a service provider, cybersecurity best practices, and online security tips. This article looks at some of the biggest things that we should emphasize to our staff to ensure that we protect the precious and sensitive data that we have. The first and biggest risk we face is really the internet itself. Since we are continually connected with many devices, that creates a lot of places where data can be accessed. In addition, we are all continually accessing the internet and have constant connections, creating many areas for criminals to target. Criminals are using hacking techniques to get login credentials. Then they use other information that is accessible on social media to help authenticate themselves when it comes to certain transactions (such as loans or distributions). People give up information readily on these types of social media platforms. Especially in today’s post-COVID world, criminals have become much sneakier and fraud is more prevalent.
If many of your staff now work remotely a significant amount of the time, make sure your they have the proper security in place at their homes. All routers allow the user to create a secure password for access; all staff should be required to have that in place. In addition, there was a significant increase in threats during the pandemic and criminals found new schemes. They use such things as malware, phishing messages/emails, and fake website links. Phishing is used to trick the email recipient into revealing information that can then be used to access accounts or commit other types of fraud. The victim gets an email that appears to be from someone they know (e.g., a financial institution or trusted party). The email will have a malicious link that directs the victim to a fake site which then requests login or other personal information. The criminals then use this to access real accounts and access the victim’s information. According to the federal government, this is still the No. 1 form of internet fraud, even though it is the most recognizable. Email account compromise can take several forms. Criminals gain access to an email account and use existing or new email threads to request funds or change real transactions. There have been cases of an employee of a company receiving an email from a company executive to send money somewhere. The employee carries out the instructions without verifying the sender, and the money is sent to an account that the criminal controls. According to the FBI, this is still the No. 1 email scheme… because what employee isn’t going to take direction from an executive? There are many other things that criminals can find out from emails if they are able to hack into them. These include all kinds of personal information, such as travel plans, photos, passwords, paystubs, tax forms, signatures, and all kinds of account information. That is why it is so important to send this type of information using a secure portal or other method allowing secure upload. We also continue to see clients’ email accounts being compromised. As service providers, we need to be careful about taking instruction from a client by email—it might sound like a client, but if it seems fishy there is no harm in questioning it. In fact, we sometimes get clients questioning us about items we are sending to make sure they are “real.” One thing that has become apparent is that if you are checking on an email, don’t reply to that email. You probably want to call instead, because often the scammers are monitoring the email and have full control of it and may respond as the client. In fact, many recordkeepers and trust companies significantly reduced using wire or ACH transfers in the past few years to try to derail criminals from accessing retirement plan funds. Most recordkeepers now make a participant “jump through hoops” to get distribution or loan funds sent via wire or ACH, and now mostly use checks. Since that change was made, however, it now seems that most fraud is focused on checks. Check fraud can occur in many forms, but mostly it’s a distribution request that has a different address, or the criminal is taking the checks out of the participant’s mailbox and washing them to gain access to the retirement plan accounts. With check fraud, unfortunately, it is difficult to recover the assets—only about 2% are recovered. So, what can we do to help prevent these types of cybersecurity issues? We can use password managers, antivirus protection and two-factor authentication, along with secure upload/portals to share data and other confidential information. Password managers are fairly easy to implement and use as part of your business model, and there are many out there to choose from. Work with your cloud-based provider or IT staff to use the one that is most appropriate for your team. Most importantly, as service providers we should have cybersecurity insurance. Make sure to thoroughly review what is included in the policy, including what things are covered. In addition, make sure that you are also aware of things you need to do as the insured. For example, I know that our policy requires employee cybersecurity training as part of the coverage. You often hear about companies that have had breaches and the criminals sit out there for years before they use the information for other purposes or sell it on the dark web. And if you have a breach or some sort of fraud, make sure you report it immediately—not only to your cybersecurity insurer but also to local police and/or the FBI. Your report may help stop the criminal from doing it to someone else. Lastly, everyone needs to be aware of the dangers and work as partners. When it comes to plan sponsors, fiduciaries, recordkeepers, participants, financial advisors and TPAs, we need to work together and help each other. If something happens to me, knowing about the details could prevent the same thing from happening to you!
