Jul 23, 2019
Newport understands how important information and data security is to your business and ours. In this fraud protection webinar, discover the ways we are protecting our clients and their retirement plan participants' information from security breaches, with topics including:
- Enterprise cybersecurity
- Fraud mitigation
- Identity fraud
- Common cybersecurity myths in the retirement industry
- Fraud prevention best practices
to download a copy of the presentation.
Michael: Hello everyone and welcome to today's webinar on protecting your company and participant information from fraud. Before we get started with today's presentation, I'd like to go over a few items so that you can better participate in today's event. You should see in the upper right hand corner of your screen this control panel. When you joined today's webinar, you chose to listen over the phone or on your computer. If at any time you want to change, you can do so by clicking the audio functions in the control panel. You can send us questions during today's presentation at any time. Just type in those questions into the questions panel and we'll try to answer as many questions as possible at the end of today's presentation. We also have a number of materials you can download that have great information about today's topic. You can find those in the handout panel, and with the housekeeping out of the way let's start with a quick poll.
Michael: Laurie, if we can advance to that poll question. Here we go. For a company to experience cyber fraud activity, it means there's been a security breach where the company's information system has been compromised. Is that A ,true or B, false? And while you're answering that, let me introduce you to our first presenter today, Eric Brickman, Newport's executive vice president of global technology and digital innovation. He has over 27 years of experience leading strategy, digital integration and technology in the financial services industry, and he has a great deal of expertise in today's topic. And Laurie, if we can close that poll. Let's see how [inaudible 00:02:46]. So we got 25% saying true, 75% saying false. Hang onto that because Eric's going to give us the correct answer a little bit later on. And so with that being said, Eric, take it away.
Eric Brickman: Well thank you very much Michael, and thank you for everyone taking the time out of your busy days to address a very important topic in our industry and it has been and it will continue to be. Cyber security, fraud prevention is very important and it's a prevalent topic for all the providers and our plan sponsors in particular in this industry. So let me quickly go through the agenda. What we're going to share today and talk about, we're going to start with some of the kind of foundational basics. What is cybersecurity? What is cyber fraud? And what it means to put the correct technological infrastructure components in place to protect ourselves against that, both from a policy point of view, systems point of view and using a lot of third party expert's solutions in order to make sure we have a ironclad foundation to protect our data.
Eric Brickman: So that's going to be foundational. And then we're going to talk about things specific to the industry. So you know, what is fraud in our industry and what are things that Newport and our plan sponsors can do to help us prevent and address it? So digging in, we're going to go to ... We're going to start on slide seven, and this slide, it talks about the, you know, cyber security and the role within the industry. And the important part to note here is, you know, whether it's a retirement industry, the banking industry, insurance industry, we're all kind of in this together because fraudsters. obviously, they kind of see it all as personal ... You know, there's accounts they want to get access to. They want to get access to the money or the information so they could sell the information on the black market. So we have to put the protections in place to prevent that.
Eric Brickman: So the role is, it obviously protects our data from things like identity theft and fraud prevention, and we don't want our client data to ever appear on the dark web. It protects our networks, obviously, from hackers and those that are going to try to crash our systems. Protects our clients, a lot of you, system sponsors, advisors, to make sure that your information that we hold, that we're the stewards of, is maintained securely. Obviously it protects our partners. We have a lot of outside trade partners, trust companies, insurance companies that we as Newport, we are kind of a hub and spoke. We deal with a lot of other financial firms on behalf of our clients, and we protect them downstream as much as we protect ourselves. And as far as protecting the company, obviously our reputation, our services and our employees are valued greatly at Newport and we want to make sure that they're protected.
Eric Brickman: And then the industry as a whole, you know, protecting the confidence for the industry in our regulatory, in our compliance environments. It all kind of, all of these pieces kind of have to be in place to make sure that our industry is protected and all the different key stakeholders are taken into consideration. Going on to the next one. Not to show you anything you're not already aware of, but why is this such an important topic for today? I mean this is one view of the world, but data breaches are in the news all the time. This is just a high level timeline of some of the big ones that have made the news over the past 10 or so years. And if you were to even look in the last two years alone, the frequency is just kind of blowing up.
Eric Brickman: Whether it's Facebook or other organizations, you're seeing cybersecurity attacks, account takeovers, data breaches, much, much more prevalent because the fraudsters are getting much more clever about how they go about it. So this just says from these incidences alone almost 5 billion personal records were breached and are most likely out on the dark web. So not a place we want to be. Obviously this paints a background that says this is important, we need to address it. Moving on to the next slide. And what they're looking for, well sometimes they're looking to access funds to actually withdraw money from accounts. But many times when you talk about cybersecurity breaches, there's a difference between breach and fraud, and I'll kind of get into that in a little bit, but the breach is about the information, the personally identifiable information, the Social Security numbers, date of birth, addresses, account information, that kind of stuff.
Eric Brickman: That's a valuable asset to the fraudsters. And they sell that stuff on the dark web. When you hear about these breaches, it's less about the money. It's more about the information which they can sell, and it's our job, obviously, to make sure that this stuff is protected. The next one goes into a little bit ... The next two slides will kind of highlight from a Newport point of view and from an industry point of view, how do we go about protecting this, the PII, the personally identifiable information? What this slide shows is Newport's cybersecurity framework. And my guess is most providers will have something similar to this. It really focuses on what are the policies, the end to end solutions where you're protecting the data, you're using SOPs, you're using auditors, you have vulnerability assessments, you're partnering with outside organizations like the SPARK Institute and you have safeguards about encrypting your data and making sure that you have limited access to the data.
Eric Brickman: And a lot of those things are policy-driven. Newport has its own framework and there's obviously a lot more information in our governance materials. If you need any of that, we're happy to share it. But this is a foundational component of how we're organizing ourselves from a cybersecurity perspective. The next slide is going to go into a little bit more technical. I'm not gonna go into a lot of the details, but I want to give you a sense of some of the partners that we have relationships with at Newport to make sure that we do secure your data. If I just kind of ... If you look at the molecule, if you look at the ePlus on the top of the molecule there, ePlus is a publicly traded a security firm. Newport uses them to do all of our third party penetration testing, all of our annual security audits and attestations.
Eric Brickman: And every time we do a new audit every year, they increase the standards because the fraudsters increased the bar. So we constantly find new and different ways to help secure our data through these audits. And we also ... We provide audit results, the high level audit results, to clients as needed. The next one, you hear the term multifactor authentication. There's two firms, RSA and then Twillio, two different firms we use for multifactor authentication. The RSA we use for all of our employees, faxes or networks, and Twillio is a third party firm that specializes in web based access for clients. So if you ever try to access Newport's participant experience, sponsor experience and it's going to say, "Hey, I don't recognize your browser or your mobile device, please go get a pin code." It's one of these systems which we're driving that solution through.
Eric Brickman: And these are all best in class multifactor authentication systems. And in fact multifactor authentication is probably one of the strongest ways to secure client data and prevent people from accessing it who you don't want to access it. Of going around the molecule there, Secureworks is a firm that specializes in managed security monitoring. What they do is they look at all of your network logs that we have throughout our data centers and our internal systems and they basically have artificial intelligence protocols that find patterns of usage, access points. So it will tell us if it's finding unusual activity or unusual entrance of users into our systems that we don't expect. And it does this stuff in real time. So if someone's trying to get into our networks through avenues that we don't approve or in a manner which we don't approve, it'll pop up on our radar really fast and we'll be able to address it very quickly through this relationship we have with secure works.
Eric Brickman: Imperva, the next one, goes hand in hand with Secureworks. This is basically the perimeter protections. These are the physical perimeter protections that stop people from getting into our data centers. And again, Newport's a big believer in best in class solutions. Imperva is one of the global leaders in perimeter protections to make sure that people don't get access into your data centers. And if they do try to hack them, then it links up with Secureworks and we get notified right away. Going around the molecule, the last two, Terranova, it's a leader in security training. All of our Newport employees are required to go through security and phishing training, and we do random phishing tests to see if anybody accidentally clicks on a wrong link. And then that individual is then put right into a remediation course for phishing training.
Eric Brickman: And as much as we make sure that systems are in place, people are really the first line of defense. So we partner with Terranova for security training. And then the last piece, this what's called WhiteHat Security, they're actually a standards organization which trains development teams on how to code against fraud. So you have all the people in the code and they're doing all the development, well there's ways that they can actually develop to prevent people from being able to hack it. And every year we get updated on the WhiteHat standards then we train our entire development organization to make sure that they're developing with the latest anti hacking protocols in our code. We call that cybersecurity ecosystem. But again, you get the gist. So you have the framework, which we talked about previously, which is more policy driven.
Eric Brickman: And then you have the ecosystem, which is a bunch of best in class third-party organizations that help us secure our information. The next slide, I touched a little about standards. Newport is a member of the SPARK Institute's Cyber Security Initiative, and they recently published a standards document, which I would highly recommend all of those on the call get access to. And I think you can actually get access to it directly through this webinar. It provides basically things that providers and plan sponsors need to do to secure their data. And it provides a set of standards where if you're going to, if you're going to evaluate providers of other benefits, retirement or other, it's a great litmus test to see how others measure up.
Eric Brickman: And then let's ... The bullets, below there, the security breach. I just want to confirm that from a definitional point of view, and these are part of the standard, security breach is where a system is compromised, but fraud or identity theft is where the account is taken over through more of a a login process. So you can have the best systems in the world, but if someone gets access to someone's login credentials, that's fraud and identity theft. There's two sets of protocols that have to go into place to make sure you protect against breach, but you protect against identity theft. And we do both obviously, from Newport's pro view. And then the very last bullet there, the poll question is obviously false.
Eric Brickman: And clearly 75 or 80% of you already knew that. So that was great. Let me go to, I think it's my last slide. I talked a lot about breach protection. Now we can talk a little bit about fraud prevention, which is the other leg of this stool, which how do we stop people from getting access to data that we know is secure in our systems, but people will try to log in inappropriately? So we have a whole set of procedures about authentication, whether it's multifactor authentication, security questions, the password requirements. We now use biometric on mobile so you can do your fingerprints as well as our call center has additional call center protocols to make sure that they're properly authenticating individuals through the call center, and fraudsters do often try to access accounts via call center services, so we have additional safeguards from that point of view.
Eric Brickman: We even do things like multiple tiered firewalls. Obviously we encrypt all of our data, whether it's in transit or at rest. We log absolutely everything from the type of user and whether it was a proxy user, a real users. There's all kinds of technical terms and how you identify a user, but we log everything and then we evaluate and audit those logs. We even track IP addresses to match up certain bent patterns and trends around are certain IP addresses, accessing certain accounts or multiple accounts and if so, that could flag potential fraud activity. We have other areas where we're just sending out confirmations. Simple things like a transaction confirmation is a measure of fraud prevention. Sending out a confirmation about an address change, an email change. We obviously do those because those are important measures of fraud prevention, making sure that if someone's aware. If someone's not aware of something that happens in their account, then they're made aware of it and we can usually jump on it much quicker.
Eric Brickman: And then at the bottom it talks about AI based fraud protection. We talked a little bit about that earlier. We use artificial intelligence data monitoring of all of our logs and it highlights potential risky scenarios. And my closing point is on the right hand side, it's a very interesting comment. A lot of people, and Scott who's going to talk in a little bit, might address this a little more. A lot of people feel that, "Well, if I don't go online and I don't set up my account, then I'm safe because I'm not an online user. I'm not actively engaging with web tools and I'm not accessing my account online. So I'm quote off the grid. Right?" Actually, those people are of higher risk than users, than often people that log into their accounts because things like their security questions are not set up.
Eric Brickman: Things like multifactor authentication is not set up. So when those things aren't set up, the first time user experience is when that stuff all gets set up. So people that don't go through the first time user experience to set those security parameters up are actually at greater risk of having their accounts hacked into because the fraudster goes in and sets up the security questions or sets up the two factor authentication. So it's much, much safer if someone doesn't want to use their account on a regular basis, at least go in and set up your credentials and then you know that someone else can't go in and do it on your behalf. Those are the kind of more broad based technology related components of the discussion. I do want to introduce Scott whose got tons of background in the retirement space. He's executive vice president of client services and I'll introduce Scott, turn it over to him now and I'll let him say a little bit more about himself before he dives into his slides. So Scott, take it away.
Scott Pollock: Thanks Eric. And Good morning or afternoon depending on where you are in the nation, but excited to chat with all of you today. As Eric said, my name is Scott Pollock. I'm the executive vice president in charge of client services here at Newport, focused predominantly on our qualified plans and ultimately responsible for the delivery of service to you, the plan sponsor, to the plan itself and to your plan participants. In addition to that role, I also sit on our security committee, which is something that we'll talk about in an upcoming slide. But thanks to Eric we now have better understanding of the definitions of cybersecurity and cyber fraud. So it's now time for us to kind of focus on actionable steps that Newport Group is taking and considerations for you as the plan sponsor to ultimately prevent fraudulent activity as it relates to your retirement plan.
Scott Pollock: But before we begin, I think it may be helpful to walk through some examples of what fraud looks like specifically in the retirement industry. As you can imagine, and as Eric alluded to, criminals are becoming more and more creative and fraud can take many different forms. ultimately, however, it basically comes down to the impersonation of either a plan participant or the plan sponsor in executing a transaction that's ultimately gonna either steal information to put on the dark web or at worst, steal money from an individual's account. That can be done from everything from a fraudulent call to a call center or trying to gain access to a particular account, or it might be an electronic communication in the form of falsified paperwork to request a distribution. In addition, criminals also have been known to impersonate the plan sponsor in submitting falsified paperwork. This can happen through a compromised email account or from a fake email address meant to look like the real thing.
Scott Pollock: In most cases, the criminal will have established a fraudulent bank account to obtain the money before then moving it to their own individual bank account. In addition to those examples, it's also important to know who's at risk for fraudulent behavior. From a demographic perspective, the two biggest categories of individuals who are at risk are people who are 59 and a half or older. Since those individuals are newly eligible to receive distributions from the plan as well as terminated or retired employees who are also eligible to receive a distribution. And as Eric just alluded to, participants who have never logged into their accounts are particularly at risk. Despite the misconception, regardless of whether or not you register your account, your information, the individual's information is available on the web. If they fail to set up an account, they will not be in control of those security questions and protocols that can be established leaving themselves vulnerable to identity theft.
Scott Pollock: Also, and some of our plan sponsors have experienced this recently, when a participant calls in to our call center and has not yet established protocols there are some questions that are asked to try to validate the person's identification. Some of those questions are pretty obscure. For example, your first car that you ever owned, and therefore create challenges for those participants in establishing their credibility. For those reasons, it is of particular importance to us to ensure that everybody authenticates themselves and registers online as much as possible.
Scott Pollock: On the plan sponsors side, there are also two groups that are at risk. The first is anyone listed on your company's publicly available information, particularly your website, who's listed as an officer of your firm. From there, individuals may receive access to pictures, email addresses, phone numbers that can easily be lifted from the web to establish fake information to replicate the real thing. Additionally, the person or persons who are assigning the 5,500 as either the capital P capital S plan sponsor or a capital P capital A plan administrator. As you know, the physical address of the firm and your phone numbers are published on the 5,500, and in some cases actual wet signatures may be available on the DOL website depending on how the 5,500 is filed. With that, any fraudulent individual could access your own individual identity and impersonate you as the plan sponsor or plan administrator to gain access to the plan.
Scott Pollock: So as we move to the next slide, as you can imagine, criminals continued to become more and more sophisticated in their attempts to access pools of money in retirement plans. As a result, Newport continues to take proactive approaches to addressing the risks posed by those retirement plans. We can see several steps that we've taken as an organization on this slide. At the start, we've established a security committee on which I sit. This committee is responsible for rapidly investigating any and all reported occurrences of fraud and attempts of fraud. The committee consists of individuals such as our chief legal counsel, our chief risk officer, our chief operating officer, among others. The committee has established procedures and protocols to help diagnose and scope issues as they arise and we are a rapid response team that is pulled together as soon as anything is identified.
Scott Pollock: Additionally, we continue to update internal procedures to make them more secure. As examples of frauding in the industry become known. For example, we've recently improved our participant service center protocols to improve security questions in validating the identities of individuals when they call in. Additionally, many of you will have seen the changes we implemented recently around the move to only allow paper checks as this is the most secure method of paying a participant. If a wire or ACH transfer is required we have increased the level of security and steps of validation that we follow to make the process more secure.
Scott Pollock: But note, and I'll bring this up on the next bite as well, that Newport's strong preference is to eliminate electronic payments as much as possible. Paper checks are the most secure way of ensuring that individuals, the right individual receives their money at the end of the day. As Eric alluded to, we've also started to require internal trainings for all employees to educate them on the latest security procedures and protocols and then supplement that training with additional training for our operational and client service staff as appropriate. Our goal is to ensure that all individuals within Newport who touch participants, their accounts, et cetera, are well informed on the latest methods that criminals are using and what protocols Newport Group has in place to try to prevent the fraud from occurring.
Scott Pollock: And then lastly, it's important to note that we continue to monitor all external third-party interactions that we have with the information that we gather from you as plan sponsors and from plan participants. We try to ensure that all our interactions meet our own privacy policies. As you hopefully know, Newport only uses participant information for the administration of our clients' plan. We do not share data with any third parties for any marketing or product purposes. As such, we try to keep your plans and the data associated with your plans and participants as secure as possible.
Scott Pollock: So now that we understand some of the steps that Newport is taking, we want to take this opportunity to offer some considerations on the next page for you as plan sponsors to consider in mitigating your own risks in sponsoring retirement plans. The first consideration that we offer, as I've alluded to, is the elimination of electronic payments. As discussed, Newport Group believes electronic payments are riskier than paper checks. With the creation of fraudulent bank accounts, wires and ACH payments are harder to validate and confirm. Where possible, we would encourage plan sponsors to consider the complete elimination of electronic payments and rely solely on paper checks to perform distributions. While it may increase the amount of time it takes for an individual to receive their money, we think the security that it adds to the process is paramount to ensuring that the right individuals receive that money at the end of the day.
Scott Pollock: A second consideration, as we've alluded to, is encouraging participants to sign into the web and establish their own security settings. This is the best way to ensure that the proper security exists on participant accounts. If participants don't authenticate and establish their own settings, they leave themselves vulnerable to others establishing those settings fraudulently only on their behalf. As such, despite the misconception, accessing one's account at least once to set up their own protocols is the most secure way possible to ensure the prevention of fraud on that account. The third consideration is just a reminder, as I'm sure you're all aware of continuing to protect sensitive data. Where possible, avoid using Social Security numbers or if Social Security numbers are required, find a way to mask them as much as possible. Additionally, any data shared with third parties, including Newport, should be sent securely, password protected via any sort of secure file transfer protocol.
Scott Pollock: We also encourage you to triple check recipients on emails to make sure that the right recipients are receiving that information and you're not sending it to somebody mistakenly or erroneously. The last consideration is the establishment of internal protocols should an incident arise. If and when an act of fraud occurs time is going to be of utmost importance. The quicker one can diagnose and scope the situation, the more rapidly one can respond to it. To the extent you have not already established internal protocols or plans of attack establishing an internal committee, we would recommend or suggest that you consider doing so in advance of any incident from occurring. Having a plan in place prior to an event is critical to then being able to respond timely to that event. With that, I will turn it back over to Michael to help moderate our question and answer session.
Michael: Thank you Scott and thank you Eric. This has been great information. Our audience has a lot of questions and they're still coming in so we'll get to as many as we can. One of the first ones that came in is, "What's one of the most important things I could do today to protect my plan from fraud?"
Scott Pollock: I'll take that one, Eric. As I've alluded to, and hopefully you've heard it multiple times at this point, I think the most important thing that you can do is eliminate electronic payments. The elimination of wires and ACH as an option prevents money from being directed towards fraudulent bank accounts that are sometimes challenging to authenticate, and the move to paper checks is the most secure way possible of ensuring that the recipients are indeed who they say they are and the right individuals receive their money at the end of the day.
Michael: Another question that's come in, and Eric, you touched on this earlier, but the the SPARK Institute paper, what's covered in the SPARK Institute's paper to finding security breach and cyber fraud?
Eric Brickman: Sure. The paper goes into a little bit of background on what the industry is kind of experiencing and why the SPARK Institute is publishing these standards. Also, it kind of goes into kind of a function by function set of standards. A lot of what we talked about here, back end standards relative to how do you manage the data, front end standards relative to limiting access and controlling access to information. Procedural and operational aspects. Just like Scott had mentioned about how do you actually administer the plan and our other various options for servicing the plan that are higher risk or lower risk. So it's really fairly well all encompassing from a provider and plan sponsor point of view as far as what are the risks, challenges, and some of the things that you should do moving forward, particularly within our retirement industry.
Eric Brickman: And it does set a nice level set of standards, which is a common language in a sense, which we can use across the industry. Because many times we'll ... I don't know how many of you have gone out to RFP or you deal with multiple providers, there weren't, at least until now, a common set of standards or expectations around how things are handled and addressed. And I think that's the best thing that this paper does, is it sets a common language, a common dialogue around expectations for security in the industry. So I highly recommend that folks get access to it and look at that paper.
Michael: And just to reiterate, that is located, if you click on the handouts section of the control panel, you can download that paper. Another question that's come in, this one is for Scott, I believe, "What's important about participants signing into their accounts?"
Scott Pollock: All right. Just to reiterate, for the third or fourth time, for participants signing into their accounts, it's critical for two main reasons. The first is the establishment of those security questions and protocols. If a participant does not sign into their own account, they leave themselves vulnerable to someone else signing in and establishing those answers on their behalf. So it's critical from a control standpoint for the participant to be able to answer their own questions and at least establish those so that somebody can't go in on their behalf.
Scott Pollock: The second, as we've alluded to, is if a participant does not sign into their own account, when they do ultimately call our call center, there are additional security questions that are posed to them. Those questions can be obscure and therefore challenging to answer and so it might lead to a dissatisfied or a disgruntled employee who can't seem to get past the security protocols when calling our call center. Had they gone in and authenticated themselves electronically on their web account, we would have avoided that headache to begin with. So those are two main reasons why we think it's important for participants to sign into their accounts.
Michael: Another question that's come in, "If one of my employees participating in the retirement plan has experienced identity theft, what steps should we take to protect their retirement account?"
Scott Pollock: I'll take that one. That's a really good question, and unfortunately it's starting to happen far too often in today's world. There are several steps that should be taken. The first step that I can think of is immediately have the participant go in, change their password on the website to once again try to make their account more secure to the extent that it has not yet been compromised. It's always best to then reestablish a secure protocol and password for that individual to access the account. The second step that I would recommend, to the extent that the plan sponsor, you are the one approving distributions, whether those be loans or rollovers or physical checks of the the full account balance, we would recommend that you monitor the activity on the individual's account to ensure that if distributions are being requested, that is coming from the participant themselves.
Scott Pollock: The third action that we would request is you alert us, Newport, through your client service manager or your relationship manager so that we can put a monitor and hold on that individual's account. To the extent that we are executing payments on your behalf and you've delegated that responsibility to us, or simply to monitor the activity on the account. We can place a hold on any individual's account and then go back to you as the plan sponsor and/or the participant vis-a-vis the validated phone number or mailing address that we have on record before we execute any payment. So we can put a hold either on the whole plan, if the plan becomes compromised, or on any one individual, if that individual's identity has been compromised in some way, to ensure that no distributions are conducted unless we get proper confirmation and authentication from both the plan sponsor and the participants.
Michael: And we have time for one last question, and this one says, "If I want to employ these preventative measures in my plan, who would I need to discuss this with at Newport?"
Scott Pollock: I'll take that one as well. As head of client services, my recommendation would be for you to contact your Newport relationship manager to discuss what changes can be employed on your behalf for your plan. The team that reports to me are well versed in the security measures that we have, they've all gone through internal training, and we can then work with you on an individual basis to ensure that all the best practices that we have are put in place for your plan. So please reach out to your daily relationship manager and we can go from there.
Michael: Sounds good. Scott, Eric, thank you, great information. And thanks to all of you who joined us today. We really appreciate you logging in and listening to our webinar today.
Michael: Hang on just for just one more minute cause we have some important information. On the control panel, you can download today's presentation, you can download the SPARK paper. We also have one other piece that you can download. Again that's in that handout section, and those are great tools for you. Also, you'll receive an email after the webinar, which is going to include links to a replay as well as these downloadable tools so you'll have another opportunity to access all that information. If you have any questions, of course, contact your Newport representative. And when you close out of today's webinar, you'll see a short survey. If you can please answer those questions so we can continue to bring topics of interest to you. We appreciate your insight and your help with that. We will see you all next quarter and thank you for attending today's webinar.