Cyber crime, and cyber security, obviously are a concern for plans. But that means more than making sure plan records and accounts are not targets and victims — it also includes other functions, structures and systems.
Experts at the recent SPARK Forum held in Palm Beach, FL offered insights and tips on heading off cyber crime and protecting the integrity of processes and systems.
Retirement Plans in the Crosshairs
The good news: overall, fraud is down, reported Larry Goldbrum, Senior Vice President and Director of ERISA Fiduciary Services, Retirement Strategies Group, at Reliance Trust. In fact, said Goldbrum, while cyber fraud amounted to $14.7 billion in 2018, still there is a three-year trend of improvement. Account takeover fraud was the biggest single form of fraud, and came to $4 billion in 2017-18, which was a 9% drop over the previous period.
The bad news: Goldbrum said that while overall cyber fraud and account fraud are down, the same is not true for retirement account fraud. That form of cyber fraud in 2017-18 was three times as high as the level of the previous period. Criminals are “moving away from card fraud to retirement accounts and loan accounts,” he told attendees.
Attacks are not just aimed at accounts, but also at entire systems, Rick Floress, Senior Vice President, Risk Management, FIS, said. If one can penetrate a system, one can break into credentials and whole systems, he warned.
Email is not immune, either, noted Yalmore Grant, Director of Information Security, SS&C Technologies. “Email is known to be an inherently insecure mechanism,” he remarked.
And children’s data is at risk as well, Floress said. “The value of your kids’ data is 51 times that of an adult,” he said. And that even applies to babies — “especially to infants,” he noted. Why? Floress explained: “Credit generally is not checked for 18 years. It is easier to use their IDs to perpetrate fraud.”
And, added Floress, social media platforms heighten the risk to which plans and accounts are exposed. Not only that, he said, “because the payoff on retirement plan fraud is so high, we’re seeing hijacking and takeovers of phones, too.”
“I’m not sure all participants understand how bad it can be for them,” said Bill Byerly, Executive Vice President and Global General Manager of Retirement Solutions at FIS, of the threat cyber crime poses retirement plan participants.
New Attackers
While it is not limited to them, Floress said, there is an increase in fraud coming from countries whose government are subject to U.S. sanctions. “More and more,” Floress said, “they are looking to cyber crime to fund government operations.” We used to talk about cybercrime as a crime, but “now we talk about it as an economy.” And on such a scale, he said, that the amount of revenue involved in some such cyber crime operations exceed national gross domestic products.
Steps to Take
Panelists offered suggestions regarding steps by which plans and participants can be protected from cyber criminals.
Strengthening internal controls is key, argued Floress, and Byerly suggested looking at policies and procedures. He also argued for setting up a review process “that goes all the way to up to the CEO.” That, he said, “is going to help you.” Floress added that even if a plan has procedures in place and an incident happens nonetheless, those procedures still are worthwhile and can be helpful. Said Floress, “a lot of organizations that have a risk event recover quickly if they have a procedure in place.”
Email security takes on added importance in light of the new rules the Department of Labor (DOL) recently issued in which it unveiled a new, optional, electronic delivery safe harbor for retirement plans. Delivery does not have to be by email, said Michael Hadley, Partner, Davis & Harmon, LLP, “but I assume that’s how most people are going to start.”
Panelists offered ideas on making use of email more secure, including:
- Provide a challenging question for users to respond to for verification of identity.
- Consider suppliers; could any compromise data?
- Consider the overall organization and network and whether you are following best practices to protect them.
- Suggest that clients educate participants on security. “It comes down to experience and education,” said Grant.
- It can help to have leaders from the top of the organization discuss security.
And think big, panelists argued — small-scale action is not enough. “It has to be the whole organization,” Byerly said, adding, “You’ve got to have procedures in place and protocols in place that drive your business in the right way.” Floress expressed a similar sentiment, remarking that defenses should be “in depth.” Said Floress, “Make sure you’re protected at every level. Not just the front-line people.”
Act Now
Panelists warned attendees not to waste time. “Don’t wait till you have a breach or a cyber event to act. You need to think about this ahead of time,” said Floress. “The cost to your company can be great. You really have to take it seriously,” Byerly cautioned.
- Log in to post comments