This post was originally posted on Pensions & Investments.

 

As technology in defined contribution expands, so do concerns about cybersecurity, sources said — as much for the participant data that plan sponsors and record keepers hold as for the assets they’re managing.

“It’s an issue across the board that needs to be closely monitored and addressed,” said Sabrina Bailey, director, digital investment advice, Northern Trust Asset Management, Chicago. “The data is already held by record keepers. Data already is in the system. It’s just not being used today. There’s a lot of idle data about a person. The risk is already there.”

Added Bart McDonough, CEO and founder of Agio, a New York-based cybersecurity and information technology provider to the financial services industry: “In some ways, DC plans are tougher to hack because they don’t have as much free-flowing exchange of cash as other accounts do, so you’re not as able to intercept that. With DC plans, it’s more extractive. But they’re still a target because they hold a lot of information about participants. That’s quite valuable for people to extract money or to sell that information on the dark web.”

At record keepers, as with investment management firms in general, Mr. McDonough said “there’s a higher level of breach attempts … to use of the knowledge of prior transactions made by plan members and account holders that can be used to do social engineering.” In such social engineering, hackers try to avert suspicion by mimicking a individual’s routine financial behaviors with the intent of hiding illegal transactions.

“It’s like when you order a package,” Mr. McDonough said. “When you see a brown truck and a driver in a brown suit carrying an Amazon box, you open the door. If you see a beat-up truck, a driver in sweats and a damaged Amazon box, you call the police. Hackers look at job descriptions, past financial activities, and use that to make themselves look as much like you as possible to an investment manager. If you’re expected to transfer money at a certain time, they can expect it and hack into an account to get that money.”

See also  Agio Lands in the Top 15% of 2024 MSSP Alert Top 250 Rankings