Part of the reason for an increased focus on cybersecurity in the retirement space is that breaches are increasingly common, Gower said.
"Breaches are increasing, and many of the breaches that are occurring are impacting huge swathes of plans," Gower said. Due to consolidation in the retirement industry, each plan vendor "has a larger and larger share of the market," meaning each cybersecurity breach of a vendor impacts a greater share of plans, Gower explained. Vendor-level breaches are most common, he said, which often affect most, if not all, plans that a vendor works with.
According to Wenzler, "cyber criminal organizations are now functioning more like formal corporations and are more aggressively targeting anyone or anything which can net them a financial gain," which includes retirement plans.
However, "not all cybersecurity breaches are super technical," Gower said, and often involve someone picking up the phone and slowly gaining access to an account by gaining enough information to reset the password.
In July 2022, a former Colgate-Palmolive employee sued the company's employee relations committee, her retirement plan's record keeper and the plan's custodian, alleging a breach of fiduciary duty after she said an individual accessed and stole all the money in her retirement fund, which totaled over $750,000. The perpetrator successfully accessed the account through updating the phone number, email address and physical address on file, creating a new personal identification number, and changing the user ID and password, according to the plaintiff's complaint.
Kim noted that in the public sector, "because of our commitment to transparency," many public officials have their personal information publicly available. Therefore, "bad actors can get some of the information more readily."
Recognizing that threat, "we are doing everything we can to protect our systems and our participants," he added.
The Teacher Retirement System of Texas has a "robust cybersecurity effort," according to CIO Jase Auby, who called it an "agencywide mandate that pertains to benefits, healthcare services (and) investment management."
Gower also warned that an increase in the offering of financial wellness products inevitably means that more personal information is collected from participants, which increases the amount of data that a record keeper already holds.
It's an area that he warns plans to "tread cautiously in and thoughtfully in," he said, because the more data provided to record keepers, the greater potential impact a cybersecurity breach can have.