Amid recent cybersecurity breaches in the retirement space, the head of the Department of Labor’s Employee Benefits Security Administration (EBSA) is offering tips on how plan participants can protect their retirement savings accounts.
As part of Internet Safety Awareness Month, DOL Assistant Secretary Lisa Gomez provides eight tips detailed below to help investors reduce the risk of fraud or loss to their retirement account.
Register, set up, and regularly monitor an online account. Regularly checking your retirement account reduces the risk of fraudulent account access and allows you to identify and follow up on any suspicious activity quickly. What’s more, failing to register may allow cyber criminals to assume your online identity.
Use a strong and unique account password. Avoid using dictionary words, sharing, reusing, or repeating passwords when creating your online retirement account. Instead use letters, numbers, special characters, and 14 or more characters. Gomez also suggests updating passwords regularly, such as every 120 days.
Use multi-factor authentication (i.e., two-step verification). Logging into an account may require more than just a username and password. Investors might be asked to verify their identity using a fingerprint or by entering an email or text code. “While multi-factor authentication might seem like a hassle, it's actually a very effective way to prevent an unauthorized person from accessing your account,” the Assistant Secretary emphasizes.
Keep account and personal information up to date! Update your contact information whenever it changes so you can be reached if there is a problem. Provide multiple communication options. Keep track of your accounts, including signing up for activity reports and closing unused accounts. A smaller online presence means your information is more secure, Gomez notes.
Free Wi-Fi isn’t always free. When checking your retirement account, don't use a public Wi-Fi network. These networks can be accessed by criminals. Instead, use your cell phone for internet access or your home network.
Don’t fall victim to phishing scams. Generally, phishing attacks target passwords, account numbers, and sensitive information, and the attackers try to get into investor accounts. A phishing message may appear to be from a trusted organization to lure you into clicking on the link, Gomez notes. Warning signs include an unexpected text message or email, spelling errors, or poor grammar.
Install antivirus software and keep your apps and software up to date. Outdated software and apps can be a security risk. Use trustworthy antivirus software and keep it and other software updated with the latest patches and upgrades. Most vendors offer automatic updates.
Know how to report identity theft and cybersecurity incidents. If you are a victim of a cybersecurity attack, contact the FBI or the Department of Homeland Security to file a report at https://www.fbi.gov/file-repository/cyber-incident-reporting-united-message-final.pdf/view or https://www.cisa.gov/report.
Meanwhile, for retirement accounts in employment-based retirement plans, the Assistant Secretary emphasizes that plan fiduciaries have a responsibility to take steps to protect the plan against cybersecurity risks. This includes ensuring that recordkeepers and other service providers responsible for plan-related IT systems and data appropriately safeguard your information.
The Assistant Secretary also appeared recently before the Plan Sponsor Council of America’s national conference where she also suggested that plan sponsors should consider having cyber-liability insurance. Gomez stressed that many employers assume that since the company has cyber liability insurance, they would be covered in a breach. But in many cases, the fine print in the policy notes that it applies only to the company and not the company in its capacity as a plan sponsor—something not obvious to most, she explained.
For more information on how to protect plan accounts from cybersecurity threats, visit the DOL’s cybersecurity webpage. In addition, an informative article by Bonnie Treichel and Bonnie Page published last year on NAPA Net featured a discussion on how plan sponsors and advisors can take steps to help protect against cybersecurity breaches.
