Cybersecurity Tips For Retirement Plans

The Aspen Institute released an article in April that says, “Amid the COVID-19 crisis, which continues to impact public health, the global economy, and life as we know it, known instances of cybercrime have more than tripled.”

As much as we don’t want to think about it, retirement plans are a target of cybercrime. Examples are requesting fraudulent loans and distributions, or stealing personal information.

Here are tips for helping prevent malicious account takeovers:

• Encourage participants to register their qualified plan accounts (so someone else does not) with complicated passwords, review privacy settings, avoid accessing their account from public wi-fi, and be alert for scams.
• Embrace and activate multi-factor authentication.
• Communicate cyber “best practices” to participants. (i.e., Do NOT send your SSN by email!)
• Focus on your recordkeeper’s SOC 2 reports. These focus on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality and privacy of a system, as opposed to SOC 1 (SSAE 16), which focuses on financial reporting controls.
• Regularly monitor your plan and accounts for suspicious activity. It never hurts to double-check a loan or distribution request.

Another way that employers can assist their employees with protecting their accounts is by selecting providers that invest in and take cybersecurity seriously. We’ve taken to including questions on our vendor’s policies on our RFPs. If you haven’t asked your retirement plan providers — including recordkeeper, TPAs, advisor, auditors, and education firm — about cybersecurity lately, it’s important to have it on your agenda. 

Here's just some of what we’re seeing from providers lately:

• Requiring 2-factor authentication if accessing an account online.
• Ability to block electronic money movement out of accounts, protecting balances from unauthorized transfers.
• Ability to get instant security alerts on a mobile number when certain transactions or profile updates are made to the account.
• Voice recognition technology to instantly verify the caller at the call center.
• Methods for protecting the data system from hackers and identifying intrusion quickly, thus minimizing damage.

Cybersecurity should be an ongoing part of your due diligence process and monitoring for your retirement plans, and also a vital part of your communication campaigns with employees. Need assistance evaluating your providers? Reach out for help.

Want to read more? Here’s the longer version.

-----------

Courtenay Shipley, CRPS, AIF, CPFA has a diverse background in the retirement plan industry providing a unique foundation for her clients in the areas of fiduciary responsibility, investment analysis, and participant education. During her career she has provided institutional investment consulting to qualified retirement plans, developed business strategy for a boutique third party administrator and recordkeeper, conducted over 9,000 education meetings to groups and individual employees, and served the nonprofit market.

Courtenay is a graduate of Vanderbilt University, and is licensed as an investment advisor representative (Series 66). She holds the Accredited Investment Fiduciary? (AIF?) designation through the Center for Fiduciary Studies, the Chartered Retirement Plan Specialist (CRPS) designation from the American College of Financial Planning, the Certified Plan Fiduciary Advisor (CPFA) from National Association of Plan Advisors, and the Certified Health Savings Advisor (CHSA) designation. Since 2015 she has been featured in the Financial Times Top 401 Retirement Plan Advisors annual list, named a Top Women Advisor All-Star by the National Association of Plan Advisors (2015, 2017-2019), and named a 2018 NAPA Young Gun: Top 75 under 40. Click here for award descriptions and criteria.