US retirement accounts offer tempting target for cyber attacks

With nearly $6tn sitting in 401(k) plans, the US financial services industry is coming under increasing pressure to ensure that retirement savings are safeguarded from rapidly evolving cyber threats.

Some 83 per cent of surveyed investment adviser groups this year ranked cyber security as their biggest compliance concern, marking the sixth consecutive year that the issue has topped the list, according to a survey by the Investment Adviser Association, a lobby group, and the ACA Compliance Group, an advisory group.

“The stakes are enormous,” says Doug O’Rear, co-founder of OnTrack 401(k), a retirement plan advisory group. Money wrongfully removed from a 401(k) plan is difficult to recover, he says, heightening anxieties that a person’s life savings could be wiped out with one hack.

That fear became a reality last year for a Massachusetts woman who discovered that her retirement account worth nearly $200,000 had been drained, according to court records. Local news outlets reported that police later uncovered an elaborate scheme involving an impersonator adding a bank account to the retirement fund and transferring its contents. Although the bank account change triggered a verification code, the woman’s email account had also been hacked and the notification was intercepted.

Compared with breaches in other industries, cyber attacks of retirement accounts have been small in scope, says Tim Rouse, executive director at the Spark Institute, a lobby group for the retirement plan services industry. He attributes this, in part, to the fact that 401(k) accounts have built-in protections against would-be cyber attackers that should raise red flags if attempts were made to transfer money ahead of specified distribution events, such as retirement.

“There are probably easier targets, but that doesn’t mean it’s not a target,” Mr Rouse says. “And it doesn’t mean that our members are not every night worrying about someone trying to take money.”

Legal changes and attention from regulators have heightened scrutiny of the sector. The California Consumer Privacy Act, for one, will ratchet up the consequences of a data breach, suggests Edward McNicholas, co-leader in law firm Ropes & Gray’s privacy and cyber security practice. Set to take effect next year, financial institutions are grappling with whether certain information about retirement plan participants and beneficiaries is exempt from the California privacy law.

There are probably easier targets, but that doesn’t mean it’s not a target. And it doesn’t mean that our members are not every night worrying about someone trying to take money

Information that is not exempt falls potentially within the scope of statutory damages, Mr McNicholas says, meaning that consumers who bring lawsuits do not have to prove actual damages. That is “driving a fair amount of concern” about the potential for effective class action litigation by consumers based on an alleged failure to implement reasonable security measures for 401(k) plans, he says.

Lawmakers are also agitating for enhanced security measures to thwart potential hacks, with two members of Congress requesting that the US Government Accountability Office examine the risks that cyber attackers pose to 401(k) accounts. The letter requested that the office consider 10 questions, including what steps plan sponsors, recordkeepers and additional plan service providers are taking and should be required to take to protect accounts.

Patty Murray, a US senator and signatory of the letter, wrote: “[W]e cannot adequately plan for the future without looking at what new steps and protections are needed to make sure people’s personal information and nest eggs are safe from fraud, hacking, and other cyber threats.”

Against this backdrop, the financial industry is scrambling to adapt. Mr Rouse says the proliferation of hacks of personal information has raised concerns among Spark members that more cyber attackers could impersonate a retirement account holder and transfer money from their plans.

To counter such vulnerabilities, efforts are under way to educate account holders about protecting their savings, Mr O’Rear says. This includes discussions about accessing accounts using secure networks and safely sharing account numbers.

These endeavours extend to the people who facilitate requests related to accounts, says Mr O’Rear. Processes are in place and training is conducted to ensure that they are able to identify suspicious requests for distribution, he adds.

Recognising the risks related to the cyber attacks, Spark has formed a committee to allow recordkeepers to compare cyber security protocols without publicly revealing sensitive information. Cyber attackers work in concert, Mr Rouse says, adding that various parties collaborate to infiltrate systems and then exploit, sell and ultimately utilise data.

“We need to work together because the bad guys are all working together,” he says.