Plan Participants Have Their Own Responsibilities for Cybersecurity

Plan sponsors are taking measures to battle cyberattacks on retirement plan participant data and accounts, but is there anything participants can do to protect them?

It’s already known that participants should be registering their retirement plan accounts online. If a participant has his account hacked, there is a higher probability of catching it when they are registered.

“We sometimes hear people say, ‘My account is safe because I never registered for online access,’ said Charlie Nelson, CEO of Voya Retirement, during an interview with PLANSPONSOR in May. “That can be misguided. Fraudsters will sometimes try to get access to an unregistered account so they can set the original data points, such as a phone number or other piece of information.”

The first step towards securing personal assets and data is knowing where that information lies, says Ted Schmelzle, senior director of Retirement Solutions at Securian Financial. While data breaches can happen at any point, participants who take ownership in protecting themselves will be more observant of their assets, thus avoiding losses in the case of a hack.

“Participants are going to have to be aware of where their information is, and in particular, where there might be vulnerabilities because they’ve got assets held at a particular institution,” explains Schmelzle.

An approach participants are always urged to employ is creating a strong, complex password. Constructing these passwords are common sense, adds Schmelzle, along with updating anti-virus malware on personal computers to reflect current models and avoiding links from unknown users.

Additionally, participants should be aware of what material they’re adding to their social media accounts. Profile information, including the city in which a participant lives, a photo of the company they work for, or even political opinions, for example, can expose individuals to hackers. Schmelzle uses the term “cyber-hygiene,”—ensuring participants are enforcing these precautions to the best of their ability, for both financial and personal wellness.

“Make sure that you have a very intentional view of what you’re putting on social media, so that you don’t compromise the security of account balances or give fraudsters a view into things that might compromise your security,” Schmelzle says.

Possibly one of the top methods in preventing breaches, attacks and hacks is two-factor or multi-factor authentication. A stronger back-up to secure passwords, it allows participants to sign into their account in multiple steps, which may include inputting their password and approving it on another device (such as cellphones and tablets).

Although one of the most popular measures for protecting a participant’s data and information, the approach can prove inconvenient for some. A 2017 report by SecureAuth, an adaptive authentication firm, found 74% of respondents using two-factor authentication said they have received complaints about the process from their users. Employing several devices and steps to accessing information can be tricky or irritating for these consumers, but for most, the additional security it adds curtails the hassle.

“[Convenience] is a small price to pay for the additional security,” says Schmelzle. “We are likely going to have to sacrifice some convenience for security, but there are many times where folks are going to have to understand that additional hoops have to be jumped through, or additional protocol followed in order to protect the essence of the account, even though it seems inconvenient at the time.”

Schmelzle likens the role of participants in cybersecurity to that of driving a car. “It’s like being a good driver,” he says. “You can still get into an accident, but if you’re employing good driving techniques, chances are you won’t.”