A public pension fund serving more than 200,000 current and former Missouri educators was compromised last month when an employee’s email account was hacked.
The data breach in Missouri lasted less than an hour, and no personal or financial information of the workers and retirees was stolen. But it was the latest in a series of high-profile intrusions involving local governments and major U.S. corporations that highlight the emerging threat cyber vulnerabilities pose for retirement plan participants and their beneficiaries as more of their information is stored online.
The U.S. Labor Department and major financial institutions have doubled down on rooting out wholesale bad actors and defending against large, multifaceted cyber threats in the retirement industry. Yet small cyber crimes and individual cases of fraud remain the most common cyber hazard industry-wide and easily one of the most difficult to stop.
“Account takeover is one of the largest forms of fraud that are evident in today’s economy,” said Troy Pugh, head of business fraud at AIG, in a recent company-sponsored webinar. “How they’re doing that is through email. A lot of times, folks click on things that they’re not sure what they are and it ends up either downloading information or giving the bad actor access to information.”
More than 24 million Americans—nearly a quarter of U.S. adults—have had online accounts, such as workplace retirement apps, taken over by scammers, according to a Security.org survey this year. Account takeovers surged nearly 72%, a Javelin Strategy & Research study found last year, accounting for a 15% hike in losses and out-of-pocket consumer costs that nearly doubled.
The incident in Missouri was short-lived, and the internal operating system that contains personal and financial information for those state workers was never compromised, pension fund Executive Director Dearld Snider said in a statement. The Public School and Education Employee Retirement Systems of Missouri hasn’t uncovered evidence of fraud following the incident or any connection to ransomware attacks around the country, he said.
Regulators ‘Taking Notice’
DOL’s Employee Benefits Security Administration weighed in on retirement industry cyber threats for the first time earlier this year, issuing guidance for retirement plan sponsors in hiring third-party data service providers, best practices for those financial service firms, and tips plan participants can use to keep their online information secure.
EBSA’s “basic rules” for participants include recommendations for strong, unique passwords, use of multifactor authentication, and looking out for phishing attacks.
“A phishing message may look like it comes from a trusted organization, to lure you to click on a dangerous link or pass along confidential information,” the guidance reads.
Since its release, EBSA investigators have included cybersecurity-related questions in ongoing requests for information from plans under audit, focusing their inquiries on third-party contractor and fiduciary insurance contracts.
The guidance was directed mainly at plan sponsors who have been grappling with uncertainty about their data security obligations under the Employee Retirement Income Security Act of 1974.
It’s unclear how pervasive the participant-directed guidance is or even how broadly plans have circulated the DOL’s recommendations, said Sarah Bassler Millar, a partner at Faegre Drinker Biddle & Reath LLP in Chicago
“I think the DOL is taking notice, and the effect that that’s having is that the industry as a whole is paying more attention,” she said. “But the question plan sponsors have been focused on is their fiduciary obligations related to cybersecurity.”