Peter Martini has some good news and some bad news for advisors to 401(k) plans.
"At the end of the day, your network will be hacked," said Martini, who has spent his life developing software and cyber protections for some of the largest government and private enterprises.
Since he co-founded iBoss Cybersecurity 10 years ago, he has battled cyber criminals as they have grown from a "nuisance" to a complex web of global syndicates that breach networks protected by security costing hundreds of millions of dollars every day.
Recommended For You
The trillions of dollars in 401(k) accounts are becoming particularly appealing to cyber criminals, Martini said.
Not only are they attracted to all the money, but "401(k) accounts really present some of the biggest exposure because people don't check their accounts," he explained. "Advisors and providers to plans also hold so much information on participants that hackers can steal [and] sell on the black market, which can then be leveraged for other attempts at fraud."
Last week, the Securities and Exchange Commission's Office of Compliance Inspections and Examinations issued a risk alert for what will be the regulator's second round of cybersecurity examinations of broker-dealer and registered advisors' internal risk protections.
Earlier this year, the agency published findings from last year's exams of 57 broker-dealers and 49 RIA firms, representing a cross section of the industry.
The majority of all firms (88 percent of broker-dealers and 74 percent of RIAs) told the SEC they have been subject to cyberattacks, either directly or through third-party vendors.
Malware and fraudulent emails were the greatest sources of the attacks, according to the SEC's findings.
About half of the broker-dealers and just under half of the RIAs said they had received fraudulent emails requesting client fund transfers.
Some of those frauds were thwarted. About a quarter of the broker-dealers recorded losses of at least $5,000. One RIA reported a loss in excess of $75,000, for which the client was made whole.
Often the losses were preventable, as one-quarter of the broker-dealers that experienced losses said they resulted from employees not following established identity authentication procedures.
The SEC didn't break down the size of the firms that were successfully hacked, but for Martini, that information is somewhat irrelevant.
"Everyone is susceptible. Even more so with smaller firms, which usually have less protection, less software infrastructure and overall, less resources. They're often the easiest targets. Thieves go after easy targets," he said.
The SEC's exams showed a notable difference in how broker-dealers and RIAs assess cyber threats from vendors.
Only one-third of registered advisors require cyberrisk assessments of vendors, while 84 percent of brokers have integrated vendor risk assessments into understanding their own firm's vulnerabilities.
That caught the SEC's eye. The guidance it issued last spring suggested that firms run periodic cybersecurity assessments on both internal and external threats from vendors.
Martini thinks that's sound advice, and while he says that regulators can create a good framework for 401(k) advisors to work from when it comes to implementing security solutions, he cautions against implementing minimal protections simply for compliance reasons.
"We find a lot of advisors are working off the 'check-the-box' solution," he said, speculating that rapid evolutions in security protections are not widely understood throughout the 401(k) provider industry.
The good news is that those innovations are not cost prohibitive. What would have come to $50,000 in upfront security costs just a few years ago now can be delivered for "dollars per machine," Martini said.
That's because cloud software allows security providers to monitor a firm's network without having to implement costly and cumbersome servers. "What used to be extremely difficult and expensive is now much more readily available to advisors," he said.
Martini suggests that advisors begin thinking of cyber protection in simple terms. "Anything that can get online through a firm's network absolutely has to be secured," he said. "Computer, laptops, tablets, phones—every device can be hacked, and every device needs protection."
He also said that awareness of cyberrisk must be comprehensive throughout advisor firms. "From the internal executive team all the way down to the lowest employee, everyone must be trained on security best practices."
The main thrust of cybersecurity is shifting from detecting breaches as quickly as possible to protecting the information hackers want to steal.
In the end, what hackers are after in 401(k) accounts is the money. One thing advisors to plan sponsors can do is to help educate participants on the real threats that retirement savers face from the dark reaches of the Internet.
What's the best advice advisors can give to help participants thwart a 401(k) heist? "Tell them to always check their accounts," Martini said.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Nick Thornton
Nick Thornton is a financial writer covering retirement and health care issues for BenefitsPRO and ALM Media. He greatly enjoys learning from the vast minds in the legal, academic, advisory and money management communities when covering the retirement space. He's also written on international marketing trends, financial institution risk management, defense and energy issues, the restaurant industry in New York City, surfing, cigars, rum, travel, and fishing. When not writing, he's pushing into some land or water.
