Passwordless logins. Data-theft detection in minutes or seconds, rather than hours. More expansive analytics to abort scams.
These are some of the ways that record keepers are deploying artificial intelligence to better secure the workplace retirement savings plans of employers throughout the country.
As advances in AI have accelerated, record keepers say they are doubling down on the technology to better protect clients in a world with dangerous, AI-empowered fraudsters.
“What is probably most alarming is the ability of generative AI to create all of the technical conditions necessary to attack at scales larger than ever imagined before,” said Duke Alden, vice president for client and customer security and business information security officer at Alight Solutions.
One of the biggest recent breaches — the MOVEit cyberattack in 2023, for example — engulfed more than 4 million people in retirement plans whose record keepers used Pension Benefit Information as a third-party vendor. The cybercriminals exploited the vendor’s faulty MOVEit file transfer software to steal personal information in an attack that snagged multiple record keepers, including TIAA and Fidelity Investments.
While record keepers have long used artificial intelligence as a weapon in their cybersecurity war chests, they report leaning into it much more heavily as generative AI continues to gain ground.
“We’ve been using AI, particularly in the form of advanced pattern analytics, for some time,” said Alden, explaining that the company’s embrace of AI and machine learning “predated the emergence of AI being such a hot topic.”
Alight employs some 300 cybersecurity professionals, with 80 of them on Alden’s team overseeing client and customer security. The company’s investment in cybersecurity has been increasing 15% annually over the past four years, Alden said.
TIAA has also been using AI well before the “whole generative AI craze started,” said Sastry Durvasula, the company’s chief operating, information and digital officer.
TIAA employs “several hundred” associates on the cyber team and an additional “several hundred” on the AI team, Durvasula said, adding that the company has been “beefing up the teams on both sides with a cross-functional team that cuts across cyber and AI.”
Principal Financial Group is another record keeper that has long been using AI in what company exec Teresa Hassara refers to as “cyber tooling.”
Hassara, senior vice president of workplace savings and retirement solutions at Principal, said the company employs approximately 250 information security professionals, a number that has increased each of the past five years.
Ditching passwords
The record keepers are using AI in multiple ways. TIAA, for example, is using it to deploy password-less logins.
“Passwords can be stolen,” Durvasula said. “They could be compromised.”
To provide a secure and user-friendly way for retirement plan participants to access their accounts, TIAA worked with Fast Identity Online Alliance, or FIDO, to develop passkeys, which Durvasula described as a “unique cryptographic key pair that has public and private keys,” which can be unlocked through facial recognition or a PIN, for example.
“Password-less is what we are going towards for all participant client authentication, plan sponsor client authentication, colleague authentication and various capabilities,” Durvasula said, adding that it is already offered on the MyTIAA retirement website and participant mobile apps.
“Over tens of thousands of participants have created passkeys since our early and recent deployment,” Durvasula said. “We continue to see increasing use and interest in passkeys and are very excited to be able to offer this to our plan sponsors and their participants.”
Principal is also using AI to beef up its verification and authentication processes. The company is implementing a new AI-driven authentication method that requires participants to take a selfie and provide a copy of a government-issued identification document.
The company is moving away from knowledge-based questions, such as where participants went to high school, to authenticate accounts because “bad actors” can very easily overcome those barriers through artificial intelligence, Principal’s Hassara said.
“We take that information and bump it up against other datasets that we have to verify that individual before we give them access to their account,” she said.
Detecting scams
Alight is using AI in “advanced pattern analytics” to detect scams, particularly imposter-type scams facilitated though AI scaling. The company has identified 33 high-risk activity patterns, which it declined to disclose to maintain their continued effectiveness, Alight’s Alden said.
“When we see any of those activity patterns, an alert is generated to our fraud-protection team and we're able then to engage directly on that account much like a credit card company would do,” he said.
TIAA and Principal are also using analytics to detect scams and data theft faster. TIAA, for example, has implemented generative AI in all data-loss prevention capabilities, allowing it to detect data losses much more quickly than with the traditional tools it used previously.
“It typically can take several hours to detect data-loss cases. Using generative AI we could do the same tasks in minutes or seconds,” Durvasula said.
TIAA is particularly concerned about older adults vulnerable to deepfake technology and romance scams.
“We are using AI to monitor the behavior of our clients to spot anomalous behaviors that may be indicative of our client being caught up in a scam. New developments in AI-powered strategies are increasing our ability to review larger datasets of customer interactions and behaviors with predictive insights to spot scams,” TIAA’s Durvasula said.
While AI provides them with new tools to safeguard retirement accounts, record keepers fret that it isn’t a one-sided win just for them and other service providers trying to protect their clients. AI, they realize, also helps cybercriminals get better at committing fraud.
“The tools now available to fraudsters and other attackers can aggregate data from hundreds and thousands of different data breaches that have accrued over the last 20 years — all from data available on the dark web — and in a matter of moments organize that data into very targeted attacks on their victims,” Alight’s Alden said.
Cybercriminals also exploit AI-powered personalization capabilities to mount attacks that are much more effective, according to record keepers.
“The attacks from a year or two ago didn't smell right to a lot of people from a distance because there was always something a little off about them,” Alden said. “What's really changed with AI attacks is that they're much more credible on their face, and it's that credibility that can really, to the detriment of the victim, inspire them to engage urgently.”
The big question for record keepers is whether they can stay ahead of the fraudsters.
It’s an ongoing “cat-and-mouse game,” TIAA’s Durvasula said, adding that the advancement of AI and deepfakes makes it extremely difficult to prevent fraud.
Principal’s Hassara was more optimistic, saying the industry can stay ahead of the criminals by sharing intelligence, investing in technology, and educating employers and their workers about cybersecurity.
“In combination with our regulators, we're doing a really good job of investing in the appropriate technology and tooling to stay ahead of them,” she said. “But we can't slack, we can't rest.”
Alight’s Alden wasn’t sure how the battle would end.
“I’m not sure that either side has a clear preference or benefit on that equation at this point,” he said. “If I had to bet where the battle will land, I think it will end up being a bit of a draw because AI will both empower our adversaries while also empowering us.”
