Hickok & Boardman

According to a number of reports¹, cybersecurity threats to retirement accounts have been on the rise over the past two years. Qualified retirement plans are prime targets for cyber attackers: the Department of Labor estimates that there are approximately 158 million participants, retirees and dependents covered by ERISA-governed retirement plans, holding assets of about $12 trillion. Retirement plans also maintain significant amounts of highly sensitive personal and financial data, including Social Security numbers, employment information, and home addresses.

Cybersecurity trends related to retirement plans include takeovers of participant accounts, where cyber thieves use phishing emails, hacking methods or stolen personal information to access and withdraw funds from the accounts. Email-related threats are responsible for most attacks, where cyber criminals impersonate plan sponsors, fiduciaries, recordkeepers or participants to request changes in account information, payments or distributions.

It’s important for retirement plan sponsors—and their advisers—to regularly engage in cybersecurity discussion and reviews as an ongoing part of their work. In late June, Lisa Gomez, the Assistant Secretary of the Employee Benefits Security Administration, posted a blog that includes various tips plan sponsors and advisers can pass along to participants for keeping their information safe. Consider sending the following information in an email to your employees, posting as a flyer, or asking your recordkeeper to include a link to the blog post on their website.

• Register, set up, and regularly monitor an online account. Regularly checking your retirement account reduces the risk of fraudulent account access and allows you to identify and follow up on any suspicious activity quickly. Failing to register may allow cyber criminals to assume your online identity.

• Use a strong and unique account password. Avoid using dictionary words, sharing, reusing, or repeating passwords when creating your online retirement account. Instead use letters, numbers, special characters, and 14 or more characters. Keep your password updated regularly (such as every 120 days).

• Use multi-factor authentication (i.e., two-step verification). Logging into your account may require more than just your username and password. You might be asked to verify your identity using a fingerprint or by entering an email or text code.  While multi-factor authentication might seem like a hassle, it’s actually a very effective way to prevent an unauthorized person from accessing your account.

• Keep account and personal information up to date. Update your contact information whenever it changes so you can be reached if there is a problem.  Provide multiple communication options. Keep track of your accounts and sign up for activity reports and close unused accounts. A smaller online presence means your information is more secure.

• “Free Wi-Fi” isn’t always free.  When checking your retirement account, don’t use a public Wi-Fi network. These networks can be accessed by criminals. Instead, use your cell phone for internet access or your home network.

• Don’t fall victim to phishing scams. Generally, phishing attacks target your passwords, account numbers, and sensitive information, and the attackers try to get into your accounts. A phishing message may appear to be from a trusted organization to lure you into clicking on the link. Warning signs include an unexpected text message or email, spelling errors, or poor grammar.

• Install antivirus software and keep your apps and software up to date. Outdated software and apps can be a security risk. Use trustworthy antivirus software and keep it and other software updated with the latest patches and upgrades. Most vendors offer automatic updates.

• Know how to report identity theft and cybersecurity incidents. If you are a victim of a cybersecurity attack, contact the FBI or the Department of Homeland Security to file a report at https://www.fbi.gov/file-repository/cyber-incident-reporting-united-message-final.pdf/view or https://www.cisa.gov/report.

Sources/ Notes

¹ “Cyber Thieves Are Going After Retirement Accounts,” Forbes, 1/20/23; “For Retirement Savers, Even Minor Cyber Intrusions Pose Big Risk,” Bloomberg News, 11/5/2021.

EBSA. (2022). Fact Sheet EBSA Restores Over $1.4 Billion to Employee Benefit Plans, Participants, and Beneficiaries. EBSA Restores Over $1.4 Billion to Employee Benefit Plans, Participants, and Beneficiaries Fact Sheet (dol.gov)

U.S. Department of Labor. (26, June 2023). 8 Tips for Protecting Your Retirement Savings Online. 8 Tips for Protecting Your Retirement Savings Online | U.S. Department of Labor Blog (dol.gov)

CISA. (2023). Report to CISA. Report to CISA | CISA

Forbes. (20, Jan 2023) Cyber Thieves Are Going After Retirement Accounts. Cyber Thieves Are Going After Retirement Accounts (forbes.com)

Bloomberg Law. (5, Nov. 2021) For Retirement Savers, Even Minor Cyber Intrusions Pose Big Risk. For Retirement Savers, Even Minor Cyber Intrusions Pose Big Risk (bloomberglaw.com)

Kmotion, Inc., 412 Beavercreek Road, Suite 611, Oregon City, OR 97045; www.kmotion.com

©2023 Kmotion, Inc. This newsletter is a publication of Kmotion, Inc., whose role is solely that of publisher.

Pensionmark Financial Group, LLC (“Pensionmark”) is an investment adviser registered under the Investment Advisers Act of 1940. Pensionmark is affiliated through common ownership with Pensionmark Securities, LLC (member SIPC).