2025 trends report: tech security

Something
sounds phishy.

Silver mobile phone with water and shark fins coming out of the screen.

Time to read: 2 minutes

Cybercriminals are getting smarter. So are we. The new policies and practices to adopt this year.

In 2016, Bangladesh’s central bank was the setting for the heist heard around the world. Hackers exploited the global financial payment messaging system, SWIFT, and made off with $101 million. That may seem like a one-off caper in a far corner of the world, but it revealed a fragile, networked future, where a thief in Bangladesh could bankrupt retirees in Boston.

A wash of system hacks, phishing, stolen credentials, employee extortion, AI executive voice and video deepfakes and other misdeeds has driven cybersecurity to the forefront of every institution along the retirement industry’s delivery chain.

“It’s not just about securing the plan itself,” Nick Brezinski, CAPTRUST director of information security and network said in an October 2024 whitepaper. “It’s about securing the entire ecosystem, including recordkeepers, third-party administrators, participants and anyone else with access to plan data.” 

Artificial intelligence, or AI, is used in phishing attacks in personalized emails, texts, and social media that appear to be from family, friends or an authority figure who demands personal information, money, or both. One fraudster can now engineer thousands of these attacks each day.

In another well-publicized scam this year, fraudsters preyed on devotees of Elon Musk using a deepfake video of the Tesla CEO touting “a modern technology for making money.”

By 2027, losses stemming from AI deepfakes are expected to reach $30 billion, according to Deloitte.

U.S. regulators jump in.

In 2023, the Securities and Exchange Commission issued a proposal that requires financial services to maintain and enforce written policies and procedures that are “reasonably designed to address their cybersecurity risks.”

The Department of Labor confirmed in September 2024 that its cybersecurity guidance applied to all retirement plans governed by ERISA. (See the Department of Labor’s Cybersecurity Program Best Practices below.)

A poll of higher education plan sponsors at the TIAA 2024 Advisors Summer Meeting found that all respondents were concerned (70%) or very concerned (30%) about cyberattacks at their institutions. Even so, a significant gap remains between fear and action. Only 27% of plan sponsors have a written cybersecurity policy, according to the Plan Sponsor Council of America (PSCA).

“A whole new wave of cyberattacks and fraud schemes has been unleashed in the past year, and this trend will gain momentum in the years ahead,” says Upendra Mardikar, TIAA’s chief information security officer. “We’re using generative AI tools and processes to modernize, automate, and accelerate detection and prevention of these crimes. Cybersecurity is a collaborative community initiative: We all need to work together to win this battle.”

It’s not just about securing the plan itself. It’s about securing the entire ecosystem, including recordkeepers, third-party administrators, participants, and anyone else with access to plan data.

Nick Brezinski
CAPTRUST director of information security and network

U.S. Department of Labor Cybersecurity Program Best Practices.

First steps to create a formal cybersecurity policy.

Establish strong security policies, procedures, guidelines, and standards that meet the following criteria:

  • Approval by senior leadership
  • Review at least annually with updates as needed
  • Terms are effectively explained to users
  • Review by an independent third-party auditor who confirms compliance
  • Documentation of the particular framework(s) used to assess the security of its systems and practices

Create formal and effective policies and procedures governing all the following:

  • Data governance and classification
  • Access controls and identity management
  • Business continuity and disaster recovery
  • Configuration management
  • Asset management
  • Risk assessment
  • Data disposal
  • Incident response
  • Systems operations
  • Vulnerability and patch management
  • System, application and network security and monitoring
  • Systems and application development and performance
  • Physical security and environmental controls
  • Data privacy
  • Vendor and third-party service provider management
  • Consistent use of multi-factor authentication
  • Cybersecurity awareness training, which is given to all personnel annually
  • Encryption to protect all sensitive information transmitted and at rest

Plan sponsors will seek new ways to engage Gen Z. Read the next Trend.

Get more from Trends.

Contact us.

Learn how TIAA can deliver lifetime income to your employees.

Contact us

Stay current.

Get TIAA thought leadership first.

Sign up

Want to read more.

Explore all the 2025 Trends.

Browse

i Cyber Risk and Cyber Security Plan Sponsors, CAPTRUST, October 2024.

ii Deloitte, May 2024: Generative AI is expected to magnify the risk of deepfakes and other fraud in banking.

4212887-0227