Nearly one-third (31%) of retirement plan recordkeepers
expect to increase their cybersecurity staff, according to the latest Cerulli
Edge—U.S. Retirement Edition.
Industry stakeholders suggest the threat of retirement
account fraud has increased in recent years, particularly during the remote
work environment, Cerulli Associates says. And, even though the majority of
recordkeepers act in a non-fiduciary capacity, Cerulli points out that courts
have suggested that cybersecurity is a shared responsibility.
According to the Cerulli report, the Internet Crime Control
Complaint Center (IC3) of the Federal Bureau of Investigation reports 791,790
cybercrime complaints in 2020—a 69% spike in total complaints from
2019—resulting in financial losses of more than $4 billion. “We haven’t had a
data breach yet, but the stakes are getting higher…the techniques employed by
cybercriminals are getting more sophisticated, particularly as we start to see
more of this government-sponsored hacking,” one recordkeeper told Cerulli.
Few recordkeepers identified cybersecurity capabilities as a
key differentiator when it comes to winning new defined contribution (DC)
retirement plan business; however, more than three-quarters of retirement
specialist advisers indicated cybersecurity is a very important factor when
selecting a recordkeeper. This tied for second place with “website
functionality and usability” (79%), just behind “investments available on the
recordkeeping platform” (81%). Yet, less than two-thirds of small-to-mid-sized
plan advisers have a formal written process for conducting due diligence on
recordkeepers’ fraud prevention practices, according to Cerulli’s findings.
One fraud surveillance expert at a large DC recordkeeper
suggested to Cerulli that older participants tend to be the most frequent
targets for cyberattacks, partly because they typically have higher account
balances than their younger cohorts, but also because criminals may perceive
them to be less technologically savvy than younger participants. “Recently
we’ve been seeing one scam where an older participant receives a pop up on
their computer telling them there is something wrong with their account and offers
a phone number to call, and when the participant calls, they aren’t getting
their financial institution on the other end of the line, it’s the criminal,”
the fraud surveillance expert said.
On the other hand, one Employee Retirement Income Security Act
(ERISA) attorney suggested insider threats (i.e., employees of the service
provider firm with direct access to participant account information) could be
the most dangerous source of retirement account fraud. Cerulli suggests that
recordkeepers not only address their own cybersecurity practices, but also
evaluate the cybersecurity practices of the service providers with whom they
exchange or share participant data.
In April, the Department of Labor (DOL) released
cybersecurity guidance for recordkeepers, plan fiduciaries and participants.
The guidance includes tips for plan sponsors to evaluate the cybersecurity
practices of recordkeepers and other retirement plan service providers and tips
plan sponsors and/or service providers should relay to plan participants for
their part in keeping their accounts safe. The DOL has begun retirement plan
cybersecurity audits.
In July, the SPARK Institute published cybersecurity best
practices, which lay out specific recommendations for mitigating retirement
account fraud. The report offers suggested practices to be implemented by plan
fiduciaries, participants and service providers with regard to account
authentication, establishing account access, re-establishing account access,
contact data, communications, fraud surveillance and custom reimbursement
policies.
Click here for the
original article.