Remote Working and Cybersecurity Considerations for Retirement Plan Sponsors
With the surge in remote working amid the coronavirus pandemic, employers are rightly focused on strengthening cybersecurity protocols to protect the sensitive information that employees access as part of their daily jobs. Plan sponsors also need to think about protecting retirement plan information.
In this volatile market environment, employees may be checking their 401(k) or other retirement plan balances more frequently — and doing so from less secure home Internet connections. The remote working environment may leave employers vulnerable to cyberattacks if they don’t have proper protocols in place and educate employees on how they can do their part to limit cyber threats.
Phishing attacks — emails sent by hackers to obtain sensitive information—increased 600 percent in the first quarter of 2020, according to Forrester Research. Hackers may be highly motivated to access 401(k) portals because they provide access to cash as well as sensitive information that may be used to exploit plan participants and organizations even further.
Employees’ online behavior is cited as the cause of many cyber vulnerabilities, so employers should be thinking about strategies to prevent digital attacks. These include taking action within their information technology (IT) departments to protect information sent to remote devices and developing educational tools to improve cybersecurity awareness for employees.
Strengthening IT Security
The average cost of a cyber data breach is $8.2 million, according to a 2019 IBM report. But most organizations typically spend well below what may be necessary to build the proper information security systems. Companies with remote workers should run advanced diagnostic tests to determine their current level of vulnerability and determine the appropriate budget to help minimize the risk of a cyberattack.
At a minimum, companies should implement the following best practices to enhance their cybersecurity:
- Ensure that all communications are encrypted properly. While most employers are using virtual private networks (VPNs) while working from home, it is advisable to go a step further by using Layer 2 Tunneling Protocol (L2TP), a higher level of encryption that can protect the activity of remote workers.
- Establish multi-factor authentication processes for gaining access to company systems and information. These processes make it significantly more difficult for a hacker to access company systems simply by stealing an employees’ password.
- Use cyber intrusion detection systems on company networks to identify any intrusions or unauthorized exfiltration of data.
Other ways to thwart hackers include time limits for employee device usage (leaving a device on and idle for extended periods increases opportunities for hackers to gain access) and using employee clearance levels (essentially internal firewalls) to limit broad access to company information.
Check in with service providers, such as recordkeepers and plan administrators, to ensure their protections are in line with best practices. Remember, as a fiduciary, plan sponsors are required to act in the best interests of their participants, and examining service providers’ cybersecurity protocols is part of that responsibility.
Educate Employees About Information Security
When employees log into their 401(k) plans or access company information from home, they may unknowingly expose sensitive information, such as addresses, bank accounts, Social Security numbers, and private company data. Most employees know they should use secure WiFi networks instead of public networks; they may not realize, however, that their favorite password can be an easy puzzle for hackers to solve. Passwords that are at least 20 characters long and include a combination of letters, numbers, and symbols are exponentially more difficult for hackers to guess than shorter, simpler passwords.
Hackers increasingly are using spear phishing, a sophisticated approach that targets a specific person using personal information to gain access to more valuable data. Employers need to educate employees about these schemes. Many companies are combatting this threat by sending fake cyberattack emails to employees and then rewarding employees who report these emails—or providing further training for employees who fall for these pseudo attacks.
|MFA Insight: Information Security is Worth the Investment
The coronavirus pandemic has increased our dependence on digital transmissions and created more points of attack for cyber criminals. Plan sponsors need to rise to the challenge and realize that their employees play an important role in protecting the company’s data as well as their personal information.
The MFA IT Advisory Team is available to review potential gaps in your organization’s cybersecurity approach, offer diagnostic tools, as well as discuss the latest hacking schemes to help you better understand the most critical threats to your organization’s data.
Material discussed in this communication is meant to provide general information and should not be acted on without obtaining professional advice tailored to you or your company’s individual and specific needs. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used by any person or entity, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. This information is for general guidance only and is not a substitute for professional advice.
The information contained herein should not be construed as personalized investment advice. Investment in securities involves the risk of loss, and past performance is no guarantee of future results. There is no guarantee that the views and opinions expressed in this document will come to pass. Historical performance results for investment indexes and/or categories generally do not reflect the deduction of transaction and/or custodial charges or the deduction of an investment-management fee, the incurrence of which would have the effect of decreasing historical performance results. There can be no assurances that your portfolio will match or outperform any particular benchmark.
Information presented was obtained from sources deemed qualified and reliable; however, MFA makes no representations as to accuracy, completeness, suitability, or validity of any information within this communication and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. Any forward-looking statements are believed to be reasonable; however, MFA gives no assurance that such expectations will prove to be correct.