Cyber criminals are as innovative as those who develop and refine the technology they manipulate—and now their targets include the retirement industry. Experts in a recent panel, and also in a report, weighed in on the tricks those criminals use and strategies that can help thwart them.
In the April 13 National Institute on Retirement Security webinar “Managing Cybersecurity Risks in the Retirement Industry” a panel of experts discussed tactics cyber criminals are using and some ways to respond and even head off the risk they pose. Panelists included Moderator Peter Dewar, president of Linea Secure, a cybersecurity firm in the retirement industry; John Rosenburg, information security officer with the New York State Teachers Retirement System; and Adam Griffin, privacy and cybersecurity attorney with Maynard Cooper.
Where We Are Now
One thing that is different today is that hackers are targeting this industry, Dewar warns. ALM Intelligence Pacesetter Research in its report on cybersecurity in 2022 adds that a key trend this year is that cybercriminals’ focus has moved from acquiring data to compromising organizational operations.
Account Takeovers. Account takeover attacks are on the rise, said Rosenburg, noting that he has seen them done through member and employer portals. And what kinds of attacks?
Some cyber criminals try calling control centers to pose as participants and get information on their accounts and redirect funds, Rosenburg says. Dewar agreed, observing that they will call in multiple times in an impersonation attack; he added that his firm has even seen that happen with high-ranking corporate leaders. They “usually try to get in and cash out as fast as they can,” said Rosenburg, adding that cyber criminals are especially interested in going after loans.
This happens “pretty much every day,” says Griffin. He warns that “While it’s lucrative, we’ll continue to see it,” and that cyber criminals can try 100 member accounts, and even if they succeed with only one, they still make money.
Heightened Hostage Taking. In its report, ALM Intelligence describes a threat that sounds like ransomware attacks, but is a different kind of hostage-taking. It says that rather than targeting data, cyber criminals now seek to disrupt operations; “in effect, holding key organizational functions hostage,” they say. Cyber criminals, ALM says, now are “more adept at probing an organization’s entire value chain for weaknesses and entry points” and exploiting them.
The somewhat good news is that ALM also says that CEOs evince awareness of this, citing recent surveys in which they express fears that cyber threats will be used to interrupt business.
Panelists suggested a variety of steps that an employer, plan administration or service provider can take to prevent such attacks.
Access to Data. Security measures “should follow the data,” Griffin said, suggesting that it is good to consider whether there are controls on access to data.
Annual Review. Rosenburg suggested reviewing standard operating procedures yearly.
Banking. Rosenburg suggested looking for changes to direct deposit arrangements. He also suggested bank account verification.
Vendors. Panelists indicated that it is best to make sure a vendor will be safe and to set guidelines for the relationship with a vendor before entering into one. Rosenburg suggested background checks on vendors and observed that there are security rating services that scan the security of an organization and its service providers. There is often an assumption that a vendor will be taking actions to protect data, but that’s not a safe assumption, said Griffin. “Think about that before a contract is signed,” he said.
Get engagements and contracts and retainers signed early and in advance, Griffin suggested. “Time is of the essence” with legal services, he said, adding, “Get them lined up ahead of time.”
Griffin also suggested that a contract with a vendor shift the risk of a cyber attack to them. “We prefer that risk is on their insurance, not ours,” he said of his firm’s approach.
Risk Mitigation. Heading off cyber attacks in the first place is a useful strategy, panelists suggested. And it starts with risk assessment, which Rosenburg called “a great tool.” He further suggested using IP risk grading services.
Griffin, too, called for risk assessment. Further, he suggested that it be conducted by a third party. They “may see things you didn’t notice and didn’t know were there,” he explained. But once is not enough, Griffin cautioned. “The threats are constantly evolving, so this isn’t a one-time thing.”
Cyber Insurance. “If everything else fails, we like to have cyber insurance,” said Griffin. What’s covered varies, and can make a big difference, he said. “A couple of words in a contract can make a difference of millions and millions of dollars,” he remarked.
Incident Response. Incidents “are really expensive,” said Griffin, adding that with the proliferation of social media it is more and more difficult to keep information taken in an incident from being disclosed.
If breach takes place, Rosenburg suggested, conduct a root cause analysis to help understand where weaknesses are. Griffin added that if there is a cyber security breach, notification obligations depend on the state where one resides—and that employee mobility complicates this.
The Big Picture
Cybersecurity in 2022 “is more than a technology problem,” argues ALM. They suggest that it is also an operational, financial, human capital, value chain, product management, regulatory and strategic problem. It argues that a cybersecurity strategy “must be more than an endpoint security solution” and that it should be a part of relationships with vendors, suppliers, logistics partners and customers.
Dewar, too, advocated forming a strategy, warning that attackers also invest and search before an attack, just like those who secure a plan against them.
ALM further suggests that a cybersecurity strategy can be good business. “A well-crafted cybersecurity strategy can also be a differentiator and competitive advantage,” says ALM, and can be part of a service provider’s long-term strategy.