Cybersecurity: The Industry's Next Frontier

 

 

What are some of the best ways to help protect your company's sensitive data? Newport Group's Executive Vice President of Global Technology and Digital Innovation Eric Brickman will explore this and other timely topics in this webinar, including:

Click here to download a copy of this presentation.

 

Webinar Transcription
 
Jeff Wirth:  Thank you for joining today's webinar, I'm Jeff Wirth, executive vice president at Newport Group. For those of you who have attended before, welcome back. For those of you who are new, thank you for joining us. Before we get started, let's learn a little bit more about the audience with a simple question. Please launch the poll.

Jeff Wirth:  So please answer the question. And while you're answering that, let me tell you, we have a great presentation for you today and a presenter who lives and breathes cybersecurity. This is such a timely topic, and everyone of us needs to know the lay of the land for both business and in our personal lives. After this presentation, you'll have a more in depth knowledge of the dangers and precautions that are inherent in the cyber world. We also have a top 10 list of fraudulent exposures that you can download.

Jeff Wirth: Let's close the poll please. Apparently this is a very aware audience as you are all overwhelmingly concerned about cybersecurity. Let's get right into the presentation, and remember that throughout the presentation you can submit questions and we'll take as many as we can at the end of today's presentation.
Jeff Wirth: Let me introduce Eric Brickman, executive vice president of Global Technology and Digital Innovation. He has over 20 years of experience leading strategic planning, e-business and technology in the financial services industry. Eric regularly speaks and presents at conferences on technology innovation and the digital experience within the retirement and executive benefit industries, and is often quotes in industry publications. Take it away, Eric.

Eric Brickman: Thank you very much, Jeff. I appreciate it. And thanks to all those attending, I appreciate you taking time out of your busy schedules to hear a little about cybersecurity that's happening in our industry. As Jeff said, I'm Eric Brickman, and I'm responsible for enterprise and global technology for Newport Group. And cybersecurity is definitely a hot topic for the industry. So let's start with quickly going over the agenda here. Going to go over kind of a baseline of just defining what cybersecurity is, just so we're on the same page there. Talk a little bit about some of the data breaches in the news, many of those you would have heard of already. Talk about some of the odds or chances that we may be impacted ourselves.

Eric Brickman: The balancing act, and the balancing act is kind of the investment that firms have to make in technology versus other areas of their systems. Authentication, which is typically a very common pseudonym for security. It's typically what people think of when they think of security, is login practices, so we'll talk about those a little bit. Some of the fraudulent activities we see in the retirement industry, some of the trends, some of the things that fraudsters try to do or attempt to do to try to get a participant account. We'll go through some of those examples.

Eric Brickman: The commitment to data security, obviously from Newport, but from within the industry. And then I'll touch on, depending on time, some trends across various domains. I don't want to get too technical on these, so I'll gloss over some of them, but others I'll point out and highlight.

Eric Brickman: Okay, so let's see if I can go to the next slide here. There we go. Okay, what is cybersecurity? I consider it an art and science, there isn't any one definition that really is used universally. However, typically I would consider it as these are attacks on confidentiality, integrity and availability by means of social engineering, phishing, un-patched software, social media threats, and advanced persistent threads.

Eric Brickman: Social engineering, for example, is when you get someone that calls up and says, he we have an issue with your account please call us back. Or you get an email that says you need to update your information. A lot of times you hear these frauds relative to taxes, you need to call us right away there's a problem with your taxes. That's social engineering. Phishing is fairly self evident, right? Phishing is when you get an email that says, click here to update your account. And then you go to login to a website, but that website isn't a real website, and it captures your credentials. Un-patched software is just like it states.

Eric Brickman: One of the biggest ways to thwart cybersecurity fraud is making sure that the software on your local machine, even all of our back office servers infrastructure are all upgraded and patched on a regular basis. And by not patching things it leaves things susceptible to security risk. Social media is self evident. Advanced persistent threats, that's basically constantly pounding the same website, URL, network. Primarily to kill the availability. And cybersecurity isn't just about account takeover, it's not just about identify theft, cybersecurity is also about availability.

Eric Brickman: So a lot of activity in cybersecurity is just trying to crash someone else's system to make it not available. Not necessarily to access the data. And ultimately the goal of these fraudsters, economic gain, political gain, social justice, and cyber bullying. Any combination of these. So it's quite the spectrum. Relative to breaches that we've seen in the news recently, a lot of these will be recognizable. You know in total there's about five billion personal records that have been accessed illegally through these cybersecurity threats across these organizations. And there's probably three or four since this slide was created. But the last one being the most recent Facebook with the 30 million Facebook accounts that potentially then had downstream account issues based on their single sign-on.

Eric Brickman: So there's a whole bunch of activities and breaches going on. Now I'm not going to call out any one specific instance here, but I will give you some examples of what caused some of these breaches without it specifically identifying which one it was. Some may be obvious, like for example, if I say fraud relative to credit cards, you know swiping credit card information. That clearly goes into the retail space and that caused some of these. But a lot of these were caused by some of the things we talked about already. One of these in particular was a very large breach was due to a simple phishing exercise where an employee logged into a fraudulent email. Well clicked on a link in a fraudulent email to log into another website.

Eric Brickman: And when he clicked on that link that email actually injected malware, which is basically bad software, into their network. And then basically opened up their network to give this outside organization the ability to access it and pull their data out. So from clicking on a simple link in an email, that malware was injected, and it brought down this company relative to this breach. Another was a patching issues, like we mentioned, one of these firms has hundreds of servers in their data centers. And literally when the forensics came back, one of these hundreds of servers didn't have the necessary patch.

Eric Brickman: You know for example, you know when you're in Microsoft, or you're in your Apple workstation, and it says, hey upgrade, you have a new patch or a new version of the software, and you click okay and does a quick upgrade. Happens the same way on the backend servers as well. So the patch wasn't done on this one server, and these fraud firms have a way to pinpoint which version of applications are running on servers, and then know if a server hasn't been patched then a particular vulnerability exists. So literally out of hundreds one didn't get patched, this outside organization found it, was able to get in through this known security hole, through that particular piece of software that wasn't patched.

Eric Brickman: Literally you're talking two minutes of time to patch that server which would have prevented millions of dollars of security fraud. But that's what brought one of these down. And a third, the last one I'll describe is, one was caused due to a lost personal device. I'm not sure if it was a laptop or a flash drive. But one of the employees lost a personal device, it wasn't encrypted, it was picked up and then sold on the black market. And then they were able to access their computer networks and their client information directly through that device that was lost and then eventually sold.

Eric Brickman: So what seems to be very common simple things caused these very significant breaches. There's simple things that we could do to protect ourselves, but the fraudsters are on a never ending gain to try to beat us to the punch. Historically, as this slide shows, and now this will be updated at the end of 2018, early 2019. We're upwards of over 1,000 critical breaches have been noted through the identity theft resource center, which is kind of the think tank for these major cybersecurity threats.

Eric Brickman: And you can see it's going up significantly, 10, 20, 30, 40% a year over the last three years. And I have no doubt that it's going to continue to go up once we see the 2018 numbers. So clearly something we need to keep our eyes on, and be very aware of.

Eric Brickman: Relative to awareness, one of the things firms do is they have security software that runs in the back office of their infrastructure, for the most part. That basically look at every ping, or every time someone from the outside tries to access their networks. And these systems evaluate the geolocation, where this entrance was coming from, a particular device, an IP address, history. And even Newport Group, this happens to be the security software that Newport runs on the backend. Newport isn't a globally recognized retail brand, and those get hundreds of thousands of security hits on a daily basis. Newport gets in the hundreds to thousands security hits on a daily basis. And those are thwarted luckily because we have these applications that stop it at the root cause.

Eric Brickman: And we can even block it further up at the telecom source. But this is something that happens every second of every day with all these companies. And frankly I'm amazed that more don't get through, but every day fraudsters find new ways to do it. But we try to stay ahead of the curve.

Eric Brickman:  Relative to what it means to us as individuals, right now best guess is about one in 15 people within the US have already had their information breached, and it's somewhere in the dark web. Which is that kind of fraudulent underbelly you constantly hear about in the news, where people sell stolen identity by information. So right now in general across the US, one in 15 people have their information already being sold in the dark web. However, the risks of being included in that population go up significantly based on a couple of factors. A person's wealth, the amount they travel, how much online banking they do, their use of credit cards, even the state they live in. Some states are targeted more than others. And obviously how they manage their passwords.

Eric Brickman: If you're constantly using the same password on 40 different accounts, your likelihood of getting attacked is greater than if you have different passwords. Now you can obviously use third party wallet type systems that basically encrypt your password so that no one can see the password, then it generates unique passwords, and it does all these fancy things to try to get around people being able to see or access your passwords. And also makes it easy to remember all these different passwords, which is a challenge often. But so if you're in the population of wealthy, travel a lot, use online banking, credit cards. And when I mean wealthy, I mean kind of the [inaudible 00:13:42]. I'm not talking about making a million dollars a year, I'm talking about making 100, 150, 200,000 a year.

Eric Brickman: Then the likelihood is one in five people in that category have their information already somewhere in the dark web. That's a bit of a scary number, but it's the reality we live in today.

Eric Brickman: Okay, so then with that being the backdrop, what do we do as an industry to address it? So cybersecurity is a thing, it's a discipline, it's a function, it's a domain within the industry. But the key is, how do you balance that? So this balancing act we talk about is balancing security versus functionality, versus ease of use. It'd be great if we could just invest all of our technology money on creating more and better widgets that make it quicker and easier for people to do stuff. But if we did that, without also investing in cybersecurity then your kind of shooting yourself in the foot. Because you're adding all this functionality, making it real easy to access information, which also makes it easy for the people you don't want to have access to the information to do so.

Eric Brickman:  So you really have to balance out how much you're going to invest in new functionality, because the more and more functionality you build, obviously sometimes impacts ease of use. Right? Added complexity makes it kind of a negative ease of use factor. Then the cybersecurity also sometimes is a drag on ease of use. So yes you require someone to login and maybe use multi factor authentication, so it's not quite the easiest experience to get in, but it definitely weighs more on the cybersecurity side of things. See you got to weigh these.

Eric Brickman: And I would say from a Newport point of view, we don't come at technology investment, and I believe the industry is kind of coming in this frame also, security is clearly not the top domain of investment. Functionality used to be, experience started really ramping up. But now most firms really need to be in the balance mode. They really need to look at every new piece of technology and the investment they make, and say okay what are we doing functionally? Is it easy to use? And is it secure? And they got to balance those out and weigh them together before they deliver new technology or functionality for the industry.

Eric Brickman: Not always easy to do because you've got different people sparing for and vying for the allocation of those resources. But inevitably an organization needs to balance that out. Okay, let's see if I can go to the next slide here. There we go. Okay.

Eric Brickman: So this I find it a very interesting part of the conversation because we could talk about some real world examples within the retirement industry specifically about the types of fraudulent activities that the industry sees. I'm going to highlight a couple of these, I'm not going to go into great detail, but you'll get the gist. And you may have heard of many of these yourselves. For example, if you think of the first one, the redirected withdrawals. So what that means is a fraudster tries to change the address of a record, primarily for like a direct deposit, or a check to be sent, before that transaction happens in the hopes that transaction or that check is sent to the wrong address.

Eric Brickman:  So typically they will try to do this online, their process will be first they'll go online and change the person's sometimes email address on file. So when a transaction is performed that transaction goes ... the confirmation goes to the incorrect email address. And then after they have the email address changed, then they come back and try to change the home address. And again, that home address often ... Sometimes it's sent to the old address, not all the time. And it's sometimes sent to the old email address, but not all the time. So then if they change the email they can sometimes change the home address.

Eric Brickman: And then they go in, and they say, I want to do a withdrawal, or I want to take a loan out on this account. And then that check is sent to that fraudsters address. They do the same thing with HCH. They put a fraudulent account in, and then as soon as the money is received at that fraudulent account they immediately close the account. And a lot of these things go undetected for months. Just think about a retirement account holder on average accesses their account online 1-2 times a year. Because these aren't daily trading brokerage accounts. These are kind of longterm strategic plays. So they go in them once or twice a year. They go to enroll, and then once or twice a year thereafter.

Eric Brickman: If fraudulent activity happens in an account, if it's not detected somewhere systematically on the backend or through some operational controls, these things can be sitting around for six months or so before they're detected, and by the time they're detected it's very difficult to recover any of those funds that might have been taken out. So that withdrawal piece is a big part. Reclassifying assets. What that says is, it's a little easier to manage pulling out cash than it is securities, so if someone has access to an account they'll obviously liquidate the assets into cash and then be able to deal with the cash asset.

Eric Brickman:  Roll over is fairly self evident. Someone can know someone that's retiring or terminated, and they submit fraudulent paperwork on the behalf of that individual hoping that it's rolled into a fraudulent IRA account versus the person who it should be going to. Let's see, just to focus on maybe one more. Well if you go to the distributions options, that's similar to withdrawals. And firms have different levels of controls over different types of transactions. So recurring distributions are managed slightly differently typically than one-time distributions. And so the fraudsters know that, so they'll look to attack distributions based on how those controls are.

Eric Brickman: It's amazing how smart they are, they know are business as well as we do relative to how we handle transaction confirmations, the information that we use to validate an individual as well as the operational procedures we have in place as an industry to manage the controls that we have in place to manage how the money is sent. So those are just some examples of real life fraudulent activities that happen in the retirement industry that Newport and every other retirement firm have to keep very close tabs on.

Eric Brickman:  Skipped one. Okay. Relative to commitment and this is a big thing for Newport and I have no doubt that almost all retirement firms have the same level of commitment. Newport has a security framework that focuses on the full breadth of access points of information. Everything from giving employees access to data networks, physical access to locations. Obviously the client access, advisor access, sponsor participant, call center, all the different levels of access and the entitlements that go with that. Obviously physical safeguards, leaving paper on the desks and making sure closets are locked and things like that. All the way to SOC ones, SOC twos to make sure we have the proper controls in place. SOC one around business procedures, SOC two around data center infrastructure.

Eric Brickman: And then we do a lot of vulnerability assessments. We do our own annual penetration testing through outside auditors. As well as we have our own internal penetration testing system for every month and every release that we deploy new technology, we always run out own external penetration testing on our own systems to make sure there's no vulnerabilities. And then we get upwards of 50 client assessments a year. Some of our large financial institutions, larger retail, globally known brand names, large banks. They'll do security assessments on us. And like I say, we get upwards of 50 a year.

Eric Brickman: And they're everything from answering questionnaires to on site due diligence walkthroughs of our data centers. As well as looking at our outside testing results. And whenever there is something found on any of these audits the good thing is, as soon as we address it rising tide lifts all boats. So if we address a particular vulnerability that's identified for a particular company, all of our clients across all of our lines of business benefit from that security enhancement, because of our common infrastructure and common platform.

Eric Brickman: So at this point, I'm going to drill down a little bit into some kind of domain areas. Particularly the account takeover, some of the web and mobile technology, little infrastructures and then I'll lead up on regulatory governance and then some emerging trends. To start with the fraud detection, and the account takeover piece, by far the biggest account takeover trend that we continue to see is phishing. And like I said earlier, that's where someone asks you to click on an email and then enter your information. You know you get an email that says, hey you have to update your account information, click here. You do so, and then some fraudster actually has a complete replica of a login page for an account that you normally would access.

Eric Brickman: So you go and enter your username and password in that page that looks exactly like the one you normally see. You enter your information, you click enter, and then that page refreshes, and the data is gone. What happened was, when the page refreshed, it directed you to the actual login page for which they were mimicking, and that person has your credentials. Your login credentials right off the bat. And they can use them to access your account. Very, very common. Very hard to prevent other than education. Don't click on things that say, there's a sense of urgency, you have to update this, you have to click on this now.

Eric Brickman: And then there are things like, the URL is often wrong. The branding is often a little bit off. The language used in the email is often a little bit off. You got to be real discriminant when anything says, click here and log into your account. And that sometimes makes it harder for the industry because we have to do kind of a yeoman's job to make sure that everything we do send out is recognized as being non-fraudulent. As being real communications, because the fraudulent stuff looks so similar.

Eric Brickman: If I go to the next one, one of the current trends we're seeing is the mobile activity that's taking place. So not un-similar to the web activity, where someone's going to try to put malware on your computer, more and more you're going to find people are starting to place malware on devices. Your iPads and your iPhones and other smart devices. Because you're accessing your accounts that way and people are able to access your cellphones. So just like with web, on your computers, we're starting to see mobile devices that have malware on them. So we need to have similar controls in place to thwart against that security breach, potential breach.

Eric Brickman: On the infrastructure side we talked about patching. Remember there used to be something called ransomware, there still is, which is someone puts a piece of code on your machine, which basically locks it up, and says, you got to call this number and give us the credit card to release your machine. A lot of those have died down, thankfully, because a lot of it software have put in place code that protects against that. Every once in a while they can get through, but then these companies come back and address it very quickly.

Eric Brickman: So that's a good thing, but on the infrastructure side, the real big deal is you got to make sure all of your servers are patched. That's the biggest thing on the infrastructure side. From a regulatory aspect, this one is actually very interesting and timely. If you remember back when Facebook originally had its issue where there was a third party vendor that had access to Facebook accounts and then basically sold that to even a third party, and it kind of blew up Facebook that they kind of lost control of their accounts. And people didn't know their information was being shared, and you had Zuckerberg in front of the Senate.

Eric Brickman: As a result of that, Europe really stepped up their privacy laws, and they instituted something called General Data Protection Regulations, GEDPR. Now the United States doesn't currently follow that model, but it's likely to follow that model in the near future, which will have significant impacts not just for the retirement community, but any industry that has personal information. What I mean by that is, what the European regulation requires is that firms give individuals total control over their information as far as who can see it and who it can be shared with. They also require total transparency as to who has access to that information.

Eric Brickman: So ironically last night Tim Cook was in Europe and he spoke at the ... I forget the name of this conference in Brussels. And he called for significant changes in the US privacy policy laws. And he's going to come back, and I'm sure he's going to talk to Congress about strengthening our laws, taking on the European model. And he came up with four points of light saying that people should have the right to manage their own data. There should be total transparency and who has access to it. They should be able to control the right to access, and the right to not have access. The right to stop their data from being shared.

Eric Brickman: So if you think of our own industry, what that would mean from a retirement industry. So right now we have record keepers who hold all the participant data, you have the sponsors, our clients who are interfacing with the record keeping systems through payroll files and reports and whatnot. And obviously all that's information in the payroll system. Then you have advisors who work on the plans, right? There's a sponsor level advisor, there's a participant level advisor, there's call centers involved. There's paying agents involved, there's all kinds of downstream organizations that have to touch this data.

Eric Brickman: Well think of at a participant level if you had to make it fully transparent who had access to what information. So I'm a participant, I'm logging in, I see here's my personal profile, or here are my transactions. And then click some kind of data forensics panel which says, this information was shared with this entity on this date. This information was shared with this entity on this date. That would be quite challenging in our industry. At the same time, giving the participant the ability to opt-out of sharing information that isn't required to service their account. Obviously paying agents and check writing and payroll and all that kind of stuff, there's no way to have an opt-out of that.

Eric Brickman: But call center access to participant information, advisor access to participant information, that kind of stuff you give the participant the ability to say, I don't want to share my information with anyone except my employer. I mean, that could have interesting impacts to our industry. And again, that's not happening right now, but it's clearly on the horizon, and we have folks like Tim Cook from Apple who are really encouraging this and really stressing it, both internationally and abroad.

Eric Brickman: Governance, we talked about governance a little bit. This is really the auditing process and the assessments. Most firms are ramping up their security staffs, not just because they have to do the technology piece of security, but they have to do the governance piece of security. So think of governance and procurement, a lot of that used to focus around, is the firm a good firm? Are they viable? Are they in the right industry? Do they have the right products and the pricing and all that stuff? But nowadays it's security, information access, and governance process and policies. So not only are firms being evaluated from a RFP process for the checklist of feature functionality and obviously pricing, but it's also, walk us through your governance process. How do you manage downstream vendors?

Eric Brickman: So not only do you handle data security internally, but when you share that data with a downstream advisor or a vendor, or a partner, how do you know and govern that the information being shared downstream is also being managed securely? Stored securely with limited access? So not only do they require the record keepers to have governance over their own platforms, but they're requiring the record keepers to have governance downstream over third party platforms. Which, again, it's kind of that European model to some degree.

Eric Brickman: It is important from a stewardship point of view to make sure that if you're going to share data that it's going to be used properly, and that's what these governance tactics are requiring. And we're seeing a lot more activity around that, and as a result, clients are staffing up their governance resources. And the retirement providers have to staff up to face off with them.

Eric Brickman: Last thing I'll probably touch on here is emerging threats. Not going to go into great detail, but it just highlights the fact that in the cybersecurity space you can't fall asleep at the wheel at this stuff. Because it's constantly changing, not just the things that we know about, the things that we don't know about. So if you go down this list, internet of things, right? That's where networks of devices are all connected and talk to each other. Artificial intelligence or machine learning, right? That's where you do these vast data mining to come up with information or to identify specific trends, or to basically predict the future.

Eric Brickman: But these large sets of databases traverse many, many organizations and put it all together. So it's a very difficult thing when you talk about managing data in an artificial intelligence environment. Bots, cryptocurrencies, these are things that are becoming more and more prevalent. Even things like, the Amazon Echos of the world, or the Google homes. When you talk about voice activated account access and authentication. All those things are new and growing trends that we got to make sure that we're able to address and to take care of.

Eric Brickman: At this point I'm going to stop talking here, and I'm going to turn it back over to, I think, Jeff. Or mike, I'm not sure.

Jeff Wirth: Yup.

Eric Brickman:  Okay, great.

Jeff Wirth: It's Jeff here, thank you very much. And that was a very powerful presentation Eric. We have some interesting questions coming in. And just as a reminder to the participants, you may continue to submit questions from your screen. Eric, first question we have the audience has for you is, what is the most secure way to send distributions to participants, ACH, wire, or checks?

Eric Brickman: Yeah, Jeff, that is a great question. And it goes back to the balancing act that I touched on earlier. It's certainly easier to send information ACH, but from a risk mitigation point of view, is it the most secure? Probably not. Because it's much easier for fraud to be taken on an ACH than it is on a check that's sent to a home address on file. So as a matter of fact, Newport recently moved away from encouraging ACH to in favor of going back to the checks. You think from a functionality point of view it's a step back, but when you see the activity, the cybersecurity risk with the ACH piece, it was a measured decision to go back to writing checks. Which is much safer than it is ACH. At least at the current time until we can better manage how we're traversing that ACH platform. Okay?

Jeff Wirth: Yup, thank you Eric. Yeah, no, that certainly felt like in a way a step back, but it's like you said, that balancing act. The next question Eric is, what can call centers do to prevent fraudulent activity?

Eric Brickman: Yeah that's often a very underserved area when you talk about cybersecurity. Most people think online, everything's online, access accounts online, authentication online. But a large part of how the population in the US access accounts is through call centers. It's kind of going down over time, but it's definitely still there. And there are things that call centers do that you can't necessarily do with online access.

Eric Brickman: For example, one of the things I know Newport does, in particular is, we cross reference information in public domains when someone authenticates into the call center. So not only does the person ... you know, what's your name, rank, serial number, all that kind of stuff. Security questions, but well actually access third party public information like, I'll list three or four streets, you tell me which one you lived at. I'll list four companies, you tell me one you used to work at. Which obviously sometimes is pretty easy since we're in a workplace retirement plan industry.

Eric Brickman: But there's other types of public information that we can ask that isn't in a person's profile which may not be known if someone's fraudulently trying to access it. It's actually a LexisNexis service, it's a company LexisNexis, and we use that for this information in the public domain. We also do trend analysis and voice recognition. If a caller comes in and we've had some issues with the caller in the past, and that same caller pops up on our radar it's going to be routed differently. And then we'll have a more controlled call center manager, or more controlled call center process take over that call, make sure that it's a real call and not a fraudster.

Eric Brickman: And we do a lot of call recording and analysis on those types of calls. One of the things we're looking at deploying is an AI based solution which every time someone calls can determine what phone number they're calling from, what device they're calling from, if they're calling from an internet phone. And then being able to bounce that off against a network of AI based services to see if there's any historical trends across other organizations that have tagged that same phone number of device to potential fraud to flag us so that we can route it separately and have a couple additional questions before we answer that person's call.

Eric Brickman: So there's definitely things call centers can do, and do do to help protect against cybersecurity. Good question.

Jeff Wirth: All right. Thanks Eric. Next one. How can you keep participant accounts secure when others have authorization to the account? People like their financial advisor, or obviously the plan sponsor for the plan can also see the participant accounts.

Eric Brickman: Sure, yeah, this comes up quite a bit, particularly around advisors and when you have sponsors that have multiple people working within HR that access accounts. There's two things in particular. One is, well actually there's three things. One is to make sure that everyone's using a unique set of login credentials. So avoid shared logins. So at Newport I can speak personally, we do quite a bit of account access monitoring and analytics to see if people are sharing user accounts. So if there's three people in human resources for a particular client, three people should each have their own credentials.

Eric Brickman: If there's five people in staff at an advisor branch office, that access accounts, each person should have their own login credentials. They shouldn't be sharing credentials. And we actually monitor to see what logins or what credentials are being used at what frequency. Because if you see that there's a particular person logging in 50 times in one day, odds are that credential is being shared. So we'll reach out to that person, find out what the issue is, and then make sure that everyone has their own credentials. So that's the first thing. Everyone should have unique credentials and we definitely enforce that.

Eric Brickman:The second is transparency and the auditing of access. Newport can see it, sponsors can see it, their advisors can see it, our intermediaries and strategic joint venture partners can see who's accessing participant accounts. And so example, if John Smith has an account and Mary from HR, the plan sponsor accesses that account, it will show in the actual audit records the online web activity that the HR person accessed this participant's account. Same if the Newport call center individual accessed somebody's account. And it'll show you the page that they viewed, anything they did on the pages. So you can see full transparency of activity and it'll specify the time and say and the name of the person that did it on that other person's account.

Eric Brickman: So if for whatever reason a participant logs in or calls a call center, or sees a statement it says, I don't recognize this in my account. I didn't do it. We can quickly find out someone did it on your behalf, here's who did it. Here's when they did it. And it's actually visible in real time through our sponsor web. So transparency of who's accessing what accounts with forensics and audit that you can tie back. Is the third thing that's very important. The second thing that's very important.

Eric Brickman:The third thing I would suggest is two-factor, or multi-factor authentication. Newport was one of the early leaders in the two-factor authentication space back in I think it was February of 2017 we required from that point forward all users regardless of the role of the user to go through two-factor authentication through their mobile device to access our accounts. And we've been very successful with that. And looking at recent trends, it's clearly only about 30% of the industry right, and of the retirement industry, enforces two-factor. Some make it optional. But 30% use two-factor, we're one of the few that required it across all users whether you're a sponsor, advisor, or participant.

Eric Brickman: So two-factor authentication is probably the best way to help control access. Good question, thanks Jeff.

Jeff Wirth: Well thank you, Eric. And that's the time we have today. So if you'll hang on for a couple minutes I have a few closing items. Housekeeping items. On the interface you can download today's presentation and the top 10 list we referenced earlier. Those will help you evaluate if taking action might be beneficial. There's some great tools. All attendees of today's webinar will also receive an email after the webinar which will include links to the replay, and the tools I just mentioned, so you'll have another opportunity to access those.

Jeff Wirth: On your screen is our contact information should you have any other questions. When you exit the webinar, you'll see three quick questions, please answer them so we can continue to bring you topics of interest to you. We'll see you next quarter and thank you for attending today's webinar. Thanks everyone.