“Any business large enough to offer retirement benefits can be considered a target with financial information worth stealing, especially as attackers know that employers and plan sponsors are usually not required to have sophisticated cybersecurity measures in place, and are new vectors of vulnerability.”
Offering a 401(k) Could Leave Your Organization More Vulnerable to Cybercrime
-Stel Valavanis
It’s no surprise to those in the financial services industry that they are required and expected to have a certain layer of cybersecurity. The information they work with on a daily basis can easily be used for cybercrime, should it fall into the wrong hands, and so financial institutions protect their data against hackers and cybercrime. What may be a surprise, however, is the threshold for what could rightfully be considered a financial institution. Any business large enough to offer retirement benefits can be considered a target with financial information worth stealing, especially as attackers know that employers and plan sponsors are usually not required to have sophisticated cybersecurity measures in place, and are new vectors of vulnerability. Organizations that have not planned for high-level cybersecurity attacks, not seeing themselves as potential victims, are frequent targets of experienced hacking groups. Organizations that are involved with 401(k), either as employer or plan sponsor, should consider that the data they retain may require the kind of security measures that self-identified financial institutions consider part of their daily operations.
It is being reported that 401(k) plan sponsors are being targeted because they don’t typically have the level of cybersecurity in place that vendors or financial institutions would have in place to defend against attack. This is likely due to the lack of regulation in regard to plan sponsors, who are not affected by the Health Insurance Portability and Accountability Act (HIPAA).
Sponsors also retain highly valuable (and unchangeable) personal identifiable information on each client, including their name, address, birthday, and social security number. The presence of this PII data raises the stakes of the attack beyond financial fraud and charges the plan sponsor with a layer of responsibility to the ultimate client of the plan, the employee. Responsibility for proper collection, storage, and use of plan participants’ personally identifiable information rests legally with the sponsor, and this responsibility cannot be shifted to a vendor or third party via contract. This was the legal precedent set by the Levanthal vs MandMarblestone Grp. LLC case, decided in May of 2019. What is more, under the ERISA Act, any finding that plan fiduciaries breached the applicable standard of care may result in personal liability for losses attributable to that breach.
The potential personal and organizational liability should be enough to make cybersecurity leaders consider their vulnerability under the best of circumstances, but COVID-19 and other events have complicated the matter even further.
The March 2020 Cares Act, in response to the COVID-19 Pandemic, removes the penalty for withdrawal from 401(k) plans, increasing the amount of traffic these funds are seeing to an unusually high level of activity. This is making management even more difficult, and crimes more likely to go unnoticed. This new activity level, along with the already high risks of digital communication, now often through insecure devices due to BYOD and work-from-home, increases potential exposure. Employees are even being conned with phishing emails, designed to appear to be information on making changes to their 401(k) plan. Due to the infrequent interaction most people have with their 401(k), employees might have little visibility into activity on their account, and may even be unfamiliar with the management methods available to them.
Questions that should be being asked:
What are the company’s policies on storing PII? What are your service provider’s policies? Are there MFA measures in place? Are employees trained on and following policy? Does the company maintain their cybersecurity systems? Is the company insured? Has the company ever been breached?