The biggest risk in securing retirement plan participants’ data from cyber threats may not arise from any technological or design flaw. For many plan sponsors looking to boost security, the greatest challenge could lie in motivating individuals to take the necessary steps to guard against potential fraud.
That task is a constant effort for many firms, such as Voya Financial.
“We consistently provide our employees and partners with information and educational tips and trainings about potential fraud schemes and how to protect themselves, the company and our customers,” says Allison Dirksen, senior vice president and head of wealth solutions sales with Voya.
Finding the best way to improve cybersecurity in retirement plans remains a perennial problem for plan sponsors because it requires ongoing participant buy-in. But some record keepers see the benefits in fostering a partnership with retirement plan participants while also enhancing internal security measures.
Although cybersecurity is not a new concern, Michael Kreps, co-chair of the Washington, D.C.-based Groom Law Group’s retirement services and fiduciary group, sees greater visibility of the issue as plan sponsors are increasingly focused on the need to strengthen protections.
“Plan sponsors are pretty paternalistic when it comes to their employees,” Kreps says. “Nobody wants their accounts stolen.”
To maintain vigilance on this topic, Voya regularly provides information, as well as training and educational pointers, about potential fraud. Most of the tips are focused around not becoming a victim of scams, Dirksen wrote in an email.
“Some of the biggest risks can come from participants themselves, not from an employer or plan provider,” Dirksen says, observing that the main threats may stem from opening a dangerous email attachment. That is the reasoning behind Voya’s emphasis on reminding individuals about digital security and offering guidance ranging from “don’t click on links from sources you do not know” to “secure your device and do not leave your laptop unsecure and unattended, specifically in a public area or vehicle.”
Finding the right metaphor and making it personal may also help inspire individuals to protect themselves, according to Jack Barry, vice president and head of product development for John Hancock Retirement.
“When you think about the retirement savings account, for most people this is their largest asset outside their home,” Barry says. “With your home, it’s much easier to physically secure and monitor, and then you go to assets in a plan, and you almost have to take as much care as you do to secure your home as you do when thinking about your retirement assets.”
Barry, based in Boston, views the approach as a team effort in which the retirement plan provider, employer and plan participant work together to prevent fraud. To aid in that process, John Hancock created a best practice guide to share with plan sponsors who have a direct relationship with plan participants and can circulate it on company intranet sites or in company-wide and team meetings.
The guide covers specific tips ranging from “use strong, unique passwords” to messages that “public, unsecured Wi-Fi is convenient, but it’s unreliable.” There are also reminders to “Be aware of what you share” on social media, since “the social aspect of social media means that we’ve become increasingly OK with publicly posting personal information.”
The warnings continue by spelling out to individuals that their answers to security questions on financial account sites, such as the names of a best friend or of pets, could be easily found online. The overarching message to individuals? Ask questions about who they should trust and what information they choose to disclose, according to Barry.
“For the retirement saver, a key is bringing a healthy dose of skepticism to everything,” Barry says.
To add further protection and help prompt individuals to take greater care with their own security, John Hancock utilizes what the firm calls a cybersecurity guarantee, which backstops potential fraud for individuals who follow the published best practices. If there is an unauthorized transfer that occurred through no fault of the individual, John Hancock will reimburse that account immediately, according to Barry.
“For anything that was taken, we will then take on the responsibility of going after anyone who happened to gain unauthorized access to [the] account,” Barry says. “All that we ask is that [retirement account holders] follow prudent online practices.”
Good online habits include some basics such as keeping information up to date, notifying the firm immediately of any nefarious activity and cooperating with any ongoing investigation, he says.
Both John Hancock and Voya also encourage individuals to enable new security measures such as signing up for two-factor authentication, even when such measures add what can be irritating friction to individuals accessing their own accounts.
“While not always perceived to make things easier for the individual, [it] provides an additional layer of security,” Dirksen says.
Barry also sees the benefits in urging retirement plan participants to be patient with complex password requirements that demand uppercase letters and symbols, as well as two-factor authentication.
“It’s those extra steps that, again, seem to be slightly frustrating in the moment that really bring a second or third layer of security,” Barry says. “That’s how we would think of the three parties working together to make sure everyone’s assets stay secure.”
Working in the background, too, are other new technologies that can alert the plan sponsor of a potential breach.
“Some recordkeepers have included voice recognition technologies and auto fraud detection,” Kreps says. “If you call a call center and [the call is deemed] suspicious, it will flag it as suspicious, and they’ll put a few more hurdles in place.”
Examples of red flags might include if the account is owned by a man, but it sounds like a female voice, or the person calling cannot answer verification questions, Kreps says.
John Hancock’s call centers also employ geolocate call origins and listen for background noise based on an understanding that some large fraud operations function as a group. The mobile app, which relaunched last spring, also has full biometric capabilities, which has led to John Hancock suggesting people start with the mobile app, because it requires a facial ID or fingerprint ID.
“When you think about protecting your house, it’s not just your front doors, it’s your garage and your windows,” Barry says.
While some firms, such as John Hancock, have developed types of cybersecurity guarantees, identifying who is responsible for a loss remains an ongoing conversation more broadly across the industry, according to Kreps, and includes regulators.
“Eventually we’ve got to figure out how to deal with this and how to apportion that responsibility, because if I had a billion-dollar 401(k), no one’s going to want to make that up,” Kreps says.
Kreps anticipates that, over time, Congress, regulators and the industry will work together to develop clear guidelines, as they have in other industries.
“When was the last time you seriously worried about your car or your credit card being stolen?” Kreps asks rhetorically. “The private industry and recordkeepers are much, much, much further ahead in their thinking about this than Congress.”
Kreps sees attention to these issues growing, including through the efforts of working groups that include multiple recordkeepers, to develop standard industry practices. He points to recent Department of Labor guidance tailored to employees as underscoring some of the widely accepted techniques plan sponsors can encourage, such as monitoring accounts for unusual activity, changing passwords and taking care not to share personal account information with others.
“The Department of Labor’s guidance didn’t have too much that was new, but what it did is highlight the importance of the issue,” Kreps says. “Regulators are looking closely at it. They don’t know precisely how to attack the problem; I don’t think any of us do. The criminals have a pretty strong financial incentive to continue to innovate.”
Tags
Reported by
Art by
Jam Dong
Reprints
To place your order, please e-mail Industry Intel.