Why Cybersecurity for Retirement Plans Is More Important Than Ever

Plan sponsors need to ensure retirement plan participants are safe from escalating attacks by hackers that go after their savings, according to cybersecurity experts.

Employer retirement accounts are facing increasingly sophisticated attacks by hackers looking to get a slice of worker savings, according to cybersecurity experts.

“We’re seeing a significant increase in the hackers getting access to these retirement assets,” Brian Edelman, CEO of cybersecurity protection firm FCI, said during CNBC’s Financial Advisor Summit on Tuesday. “We’re out there protecting them on the investment side, but we need to also manage the data—if a hacker gets at the retirement assets, then there is nothing left to manage.”

Edelman said during a panel discussion called “Securing Your Savings” that criminals will use a corporate email hack to intercept a conversation between a retirement plan saver and a plan administrator. They then try to get the participant to divert savings to a separate account run by the criminal.

Gregory Wilson, chief information security officer for Putnam Investments, said he has seen an increase in phishing attacks in which hackers send a fake message to take over an account and steal the assets. If these types of attacks are not stopped, there is a very short window of time for authorities to get the money back, according to Wilson.

“You need to get [the money] back in two days; otherwise, the ability to get those funds back drops significantly,” he said.

Both experts said fiduciaries for retirement plans should be well versed in guidance the U.S. Department of Labor put out last year on cybersecurity for retirement benefits. The guidance provides both best practices for ERISA-covered retirement plans and guidance on how to select a service provider with strong cybersecurity practices.

Wilson of Putnam said that while it is important for fiduciaries to follow the DOL guidelines, they should understand those guidelines are just a foundation to build on for the specific circumstances of a plan administrator.

“That is going to be the standard they are held to if something goes wrong,” Wilson said. “The thought is often to do the absolute minimum, but if something goes wrong, there are penalties, fines and institutional risk that comes into play. [Fiduciaries] need to do everything they can to entrust the assets.”

At Putnam, Wilson said he conducts “tabletop exercises” in which a specific financial scam is set up, and teams work on them as if they were actually happening. He once had the FBI come in to run a scenario in which even he did not know the setup, he said.

Wilson noted that one of the biggest issues arises when a decision-maker is unavailable, and the company cannot act quickly. It’s important, he said, to have an active chain of command to mitigate that risk.

“Murphy’s Law says that when something goes boom, the person you need won’t be available,” he said. “You don’t want to be holding the bag without a way to contact that person.”

«