Page 122 - FebDefComp
P. 122
Public Sector Retirement
News & Views | Q1 2021
CYBERSECURITY IMPACTS RETIREMENT SAVINGS
Retirement and investment accounts have become one of the latest targets by hackers. These bad actors are known to take over
a person’s email account and find emails related to retirement and investment accounts. Then, they set up rules to forward the
account emails to their own email address, and once that’s done, they do a password reset and complete their effort to access
a retirement or investment account. Most often, they take loans because these sometimes have different controls in place than
outright withdrawals. They may also change the account owner’s address so the owner no longer receives statements or other
account information. Scammers have also been known to “spoof” phone numbers – including those from financial institutions – to
make it look like the call is coming from a legitimate party. According to the National Association of Plan Advisors, there has been a
300% increase in hacks to retirement and investment accounts in recent years.
What’s a plan sponsor to do?
Plan sponsors can help protect their plans by reviewing security protocols account protection guarantees with their providers.
Having the provider walk through the steps required to make withdrawals of any kind can help reassure plan sponsors that strong
controls are in place to protect participant accounts, or can identify where controls can be strengthened. Plan sponsors can look
for multi-factor authorization, wet signature requirements, and other protocols that involve human interaction and are not entirely
reliant on electronic transactions. Plan sponsors can also continuously communicate to participants the importance of monitoring
their accounts, changing passwords and PINs, and other commonly advised steps to protect their accounts.
What’s a participant to do?
Participants are advised to set up and regularly change unique passwords, PINs and other personally identifying information that
only they know. Participants should never provide this information to anyone, including their plan provider representative. Where
possible, participants are advised to use multi-factor authentication that will involve another device, a separate app, and/or a
secondary PIN that is only known by the participant. If a participant receives a phone call from someone claiming to be from a
financial institution, they should tell the caller they are going to hang up and call back. If the call is legitimate, the caller will never
object. Finally, participants can further protect their accounts by checking their email rules periodically, and are advised to audit
their balances at least monthly.
