KG2YG2 Internet crime and speculate stock concepts, Hacker working on computer laptop with downward stock graph background
The US financial services industry is under pressure to better protect retirement savings from hackers © Alamy
Experimental feature

Listen to this article

00:00
00:00
Experimental feature

With nearly $6tn sitting in 401(k) plans, the US financial services industry is coming under increasing pressure to ensure that retirement savings are safeguarded from rapidly evolving cyber threats.

Some 83 per cent of surveyed investment adviser groups this year ranked cyber security as their biggest compliance concern, marking the sixth consecutive year that the issue has topped the list, according to a survey by the Investment Adviser Association, a lobby group, and the ACA Compliance Group, an advisory group.

“The stakes are enormous,” says Doug O’Rear, co-founder of OnTrack 401(k), a retirement plan advisory group. Money wrongfully removed from a 401(k) plan is difficult to recover, he says, heightening anxieties that a person’s life savings could be wiped out with one hack.

That fear became a reality last year for a Massachusetts woman who discovered that her retirement account worth nearly $200,000 had been drained, according to court records. Local news outlets reported that police later uncovered an elaborate scheme involving an impersonator adding a bank account to the retirement fund and transferring its contents. Although the bank account change triggered a verification code, the woman’s email account had also been hacked and the notification was intercepted.

Compared with breaches in other industries, cyber attacks of retirement accounts have been small in scope, says Tim Rouse, executive director at the Spark Institute, a lobby group for the retirement plan services industry. He attributes this, in part, to the fact that 401(k) accounts have built-in protections against would-be cyber attackers that should raise red flags if attempts were made to transfer money ahead of specified distribution events, such as retirement.

“There are probably easier targets, but that doesn’t mean it’s not a target,” Mr Rouse says. “And it doesn’t mean that our members are not every night worrying about someone trying to take money.”

A graphic with no description

Legal changes and attention from regulators have heightened scrutiny of the sector. The California Consumer Privacy Act, for one, will ratchet up the consequences of a data breach, suggests Edward McNicholas, co-leader in law firm Ropes & Gray’s privacy and cyber security practice. Set to take effect next year, financial institutions are grappling with whether certain information about retirement plan participants and beneficiaries is exempt from the California privacy law.

Information that is not exempt falls potentially within the scope of statutory damages, Mr McNicholas says, meaning that consumers who bring lawsuits do not have to prove actual damages. That is “driving a fair amount of concern” about the potential for effective class action litigation by consumers based on an alleged failure to implement reasonable security measures for 401(k) plans, he says.

Lawmakers are also agitating for enhanced security measures to thwart potential hacks, with two members of Congress requesting that the US Government Accountability Office examine the risks that cyber attackers pose to 401(k) accounts. The letter requested that the office consider 10 questions, including what steps plan sponsors, recordkeepers and additional plan service providers are taking and should be required to take to protect accounts.

Patty Murray, a US senator and signatory of the letter, wrote: “[W]e cannot adequately plan for the future without looking at what new steps and protections are needed to make sure people’s personal information and nest eggs are safe from fraud, hacking, and other cyber threats.”

WASHINGTON, DC - NOVEMBER 15: Senate Health, Education, Labor and Pensions Committee ranking member Sen. Patty Murray (D-WA) (L) delivers opening remarks during a hearing with Chairman Lamar Alexander (R-TN) in the Dirksen Senate Office Building on Capitol Hill November 15, 2017 in Washington, DC. U.S. Surgeon General Jerome Adams testified before the committee about community-level health promotion programs and businesses that offer incentives to employees that practice healthy lifestyles. (Photo by Chip Somodevilla/Getty Images)
Patty Murray , a US senator, is agitating for enhanced security measures to thwart potential hacks © Getty

Against this backdrop, the financial industry is scrambling to adapt. Mr Rouse says the proliferation of hacks of personal information has raised concerns among Spark members that more cyber attackers could impersonate a retirement account holder and transfer money from their plans.

To counter such vulnerabilities, efforts are under way to educate account holders about protecting their savings, Mr O’Rear says. This includes discussions about accessing accounts using secure networks and safely sharing account numbers.

These endeavours extend to the people who facilitate requests related to accounts, says Mr O’Rear. Processes are in place and training is conducted to ensure that they are able to identify suspicious requests for distribution, he adds.

Recognising the risks related to the cyber attacks, Spark has formed a committee to allow recordkeepers to compare cyber security protocols without publicly revealing sensitive information. Cyber attackers work in concert, Mr Rouse says, adding that various parties collaborate to infiltrate systems and then exploit, sell and ultimately utilise data.

“We need to work together because the bad guys are all working together,” he says.

Get alerts on Cyber Security when a new story is published

Copyright The Financial Times Limited 2019. All rights reserved.
Reuse this content (opens in new window)
About this Special Report

This three-part Cyber Security series covers Artificial Intelligence and Data as well as Ecommerce.

As more devices connect to the internet, opportunities arise for hackers and criminals. The greater use of biometric data on our personal devices is heightening privacy fears, while companies are turning to experts to negotiate with hackers after ransomware attacks. This report examines the importance of cyber security and what can be done to defend against attacks

Follow the topics in this article