Retirement plans are in cyber criminals’ sights, and it takes positive action to head off the threat, said experts in an Oct. 7 Plan Sponsor Council of America (PSCA) webinar.
“The retirement plan community is a very attractive target” for cyber criminals, warned Tom Briggs, Divisional Sales Manager at Transamerica. Among the threats are:
- Phishing, in which hackers send suspicious emails to lure the account holders into disclosing sensitive information. Tim Tuller, Director, Incident Response & Cyber Resiliency at Transamerica, characterized such attacks as “common” and “relentless” and remarked that attackers that use this tactic “are now more sophisticated.”
- Malware attacks, which are attacks by software triggered from compromised websites through which hackers use the program to enter account holders' systems.
- Ransomware attacks, in which hackers attack critical servers and exploit them. Ransomware is “the commercialization of crime,” said Tuller.
Action Steps
To meet the challenge cyber criminals pose, Briggs suggested, takes preventive action. An approach of simply reacting to the threat cyber criminals pose, he said, is “insufficient and ineffective.” This, they indicated, means working within and taking out a cybersecurity insurance policy, something that Tuller called a “last line of defense,” but also working together with other parties.
Service Providers. They suggested that service providers should:
- have a formal cybersecurity program;
- conduct prudent annual risk assessments;
- have a reliable annual third-party audit of security controls;
- clearly define and assign information security roles and responsibilities;
- have strong access control procedures;
- ensure that any assets or data stored in cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments;
- conduct period cybersecurity awareness training;
- implement and manage a secure system development life cycle program;
- have an effective business resiliency program addressing business continuity, disaster recovery, and incident response;
- encrypt sensitive data, stored, and in transit;
- implement strong technical controls in accordance with best security practices; and
- appropriately respond to any past cybersecurity incidents.
Working together with service providers will help, both suggested. They had tips regarding steps one can take with service providers, including discussing:
- whether they have a written cybersecurity policy in place;
- their ability to cover losses due to data breaches;
- their security standards and practices;
- information sharing and confidentiality policies; and
- how they respond to potential security incidents.
“It’s much better when there is a partnership between you and your service provider,” said Tuller.
Recordkeepers. Briggs argued that one should be sure to ask recordkeepers whether they are using multi-factor authentication.
Participants. Briggs and Tuller pointed out that it can be helpful to work with participants to encourage them to:
- register, set up, and routinely monitor online accounts;
- use strong and unique passwords;
- use multi-factor authentication;
- keep personal contact information current;
- close or delete unused accounts;
- be wary of free Wi-Fi, and to use a VPN if they must use free Wi-Fi;
- beware of phishing attacks; and
- use antivirus software and keep it current.
The Bottom Line
Cyber security takes vigilance, Tuller suggested, remarking, “You can’t turn it on today and ignore it tomorrow.”
- Log in to post comments