The Windes ERISA Group hosted a lunch seminar on Cybersecurity Risks for Retirement Plans, presented by Scott Lanigan of New York Life. This is a pressing subject for all business entities, but the nature of retirement plan accounts and investments presents a unique challenge for investment providers and plan administrators to protect sensitive plan information
from attack.
Here are some key takeaways from the presentation:
- Both plan asset information and personal identification are at risk from the dark web
- Fiduciaries have a specific responsibility to safeguard plan information
- Four common attacks:
Ransomware (criminals encrypt a hard drive or network for ransom)
Phishing attacks (seeking out an end user to infiltrate a network)
Wire transfer or email fraud (Imposters pose as senior executives requesting wire transfers)
Malware (harmful software imported via an internal thumb drive) - Also a risk of internal fraud perpetrated by insiders
The attacks from outside sources are prevalent and constant. Both ransomware and phishing attacks have moved down to smaller plans with lower monetary targets, exposing many more plans to these types of threats. The best practices for managing the cyber risk include:
- conducting regular and ongoing assessments of risks, and putting internal controls in place to detect new threats;
- designing systems and hiring experts (with SPARK certification) to help manage the risks, including an incident response plan and employee education and training;
- testing and ongoing monitoring of systems, including implementation documentation;
- encrypting and backing up data to national standards; and
- purchasing cybersecurity insurance to mitigate financial risk.
Please contact us for a full copy of the presentation or with any questions regarding your specific concerns about your plan.