Written by Kristian Kananen & Christopher Tipper

Cybersecurity and the DOL/EBSA 

Part One 

 

The Employee Benefits Security Administration (EBSA) of the Department of Labor (DOL) has issued guidance to fiduciaries as to what the agency expects fiduciaries to do to ensure the safety of the Personal Identifying Information (PII) held by qualified retirement plans.  The guidance came in three sections: 

Online Security Tips 

Cybersecurity Program Best Practices 

Tips for Hiring a Service Provider with Strong Cybersecurity Practices 

This whitepaper discusses Online Security Tips.  Best Practices will be discussed in June and Tips for Hiring a Service Provider will be the subject in July. 

Online Security Tips seems the best place to start as the terminology is somewhat familiar.  The tips are intended for plan fiduciaries as well as plan participants.  A plan participant who does not follow the Tips may leave his account in a qualified plan, and possibly the accounts of other participants, vulnerable to fraud.  Participants/employees who are unaware of the steps they need to take to be cybersecure, or who do not careput their employer and coworkers at risk.  An employer who does not try to educate employees about cybersecurity, fails to work in the best interest of their business, customers, qualified retirement plans and participants. 

Some participants may believe that the maintenance of their qualified plan account is the job of the Plan Sponsor or Plan Administrator, and they are correct.  However, the participant has a vested interest in ensuring the account has the deposits expected and why withdrawals may have been made from their own account.  Mistakes can happen.  An alert participant can bring issues to the fiduciary’s attention earlier than the fiduciary might otherwise find them, by logging into his account on a regular basis and comparing the deferrals deposited with the deferrals withheld from his paycheck.  A participant who fails to register for his online account, may enable cybercriminals to assume his online identity.  Plan fiduciaries should ensure the participants know they are required to register and know how to register for their online account. 

Strong and unique’ passwords are recommended for anyone registering for a qualified plan online account.  What are strong and unique passwords?   

  • Don’t use words in your passwords  It may be too late to start referring to passwords as passcodes, but that is really what they should be.  The word participant may associate with their retirement account would probably be more easily guessed by a nefarious individual. 
  • Mix things up by using upper and lower case letters, numbers and special characters – Points are given for complexity, as long as the password is useable and can be remembered 
  • Make sure your numbers are not in sequence – No 123, abc, or XYZ even though it is easy to remember, it would be a starting point for an identity thief. 
  • Use long passwords with 14 characters – Password is not an acceptable password, even though it is probably the most common of all passwords. 
  • Change passwords every 120 days – Just when a password becomes comfortable, it is time to change it. 
  • Use a secure password manager to help create and track passwords – Allowing a password manager to create passwords for you removes your ego from the process.  It also increases the password security 
  • And, most important of all, do not write your passwords down – How can one remember the carefully crafted password if one does not write it down?  If this is your question, a password manager could be a saving grace for you. 

 

Using software that uses multi-factor authentication increases cybersecurity with only minor inconvenience.  The second credential verifies identity while using communication devices associated an authorized user. 

For many reasons, plan fiduciaries and participants should be sure to keep their contact information up to date.  New cellphone number?  One will have to update contact information for the multi-factor authentication code to be received.  Also, if there is an issue with the security of a participant’s account, it will be necessary for the plan fiduciaries to contact the participant in order to resolve any issues and to mitigate damage. 

Keeping a low online profile minimizes vulnerability.  Being sure that every account will send a notification if there is activity in the account.  Also, closing any account that is inactive or unused minimizes exposure to hackers. 

There is no such thing a a free lunch.  This also applies to free wi-fi.  Airports, hotels and coffee shops all offer free wi-fi, much to the delight of identity thieves.  Using a cellphone hotspot or a VPN helps to ensure safety of all data on the computer. 

Phishing for personal information seems to have been elevated to the level of an Olympic sport for one reason.  It works.  Americans of all economic brackets and education levels are duped into sharing personal information.  EBSA included ways of identifying a phishing attack. 

  • Emails from a person or organization one does not know or do business with and that are unexpected could easily be a phishing attach. 
  • Apparently spell check and grammar check are not used by those trying to get personal information as misspellings and bad grammar are rampant in phishing emails. 
  • If one is unwise enough to click on a link to another website and it goes to a location that does not match what the email inferred was the location, back out fast.  One can hover the mouse over the link to see what the destination really is, most of the time.  Be aware that evildoers are catching on to this.  
  • Shortened or odd links or addresses in a phishing email are also an indicator that something is amiss. 
  • The more urgent a reply, or action, the more aggressive the sender iportrayed in an email, the more likely it is a phishing attach. 
  • Strange or mismatched sender addresses should be a red flag. 
  • Just as the IRS will not email you for your personal information an investment/insurance company holding plan assets will never send an email requesting a password, account number, personal information or the answers to person security questions 
  • Carefully reading a phishing email can cause some anxiety or a feeling of uneasiness.  If this is the case, follow your gut and delete the email. 

Using antivirus software and keeping it up to date helps to ensure the security of a company’s network  Being sure all software is up to date ensures that the most recent patches and upgrades to stop unauthorized access to the network. 

Possibly the best information EBSA provided was how to report a cyberattack.  Both the FBI and Department of Homeland Security have websites to accept such reports.  These websites are: 

https://www.fbi.gov/file-repository/cyper-incident-reporting-united-message-final.pdf/view 

https://www.cisa.gov/reporting-cyber-incidents 

Click Here to view our Tuesday Topic on this subject.