Ascensus Security Overview

Our cybersecurity response program is designed to help keep your financial information safe and is intended to comply with applicable federal and state laws.

Online security is a shared responsibility between you, the account owner, and Ascensus, the service provider. Safeguarding your assets, personal information, and privacy is one of our fundamental priorities. We use a variety of controls to detect and prevent unauthorized access to our network and sensitive information.

Our security promise

We are committed to keeping your financial information secure. Please know that:

  • We will never call or email you to ask you for your login credentials.
  • If you receive a suspicious message, don’t click any of the links or respond with personal information. Report suspicious emails to phish@ascensus.com
  • If you identify suspicious account activity notify us by sending an email to AscensusFraud@ascensus.com
  • During our conversation we will likely ask that you forward any suspicious materials to us and that you answer a few questions to help us address the situation.

 

How We Safeguard Your Information and Activity
Security Actions You Can Take
Identity Theft
If You Suspect Fraud
Asset Protection Policy

 

How We Safeguard Your Information and Activity

Safeguarding your information and online transactions requires strong technologies and technical controls. We use the following methods to help keep your online transactions and personal information safe and secure.


Security culture

It all begins with our security culture, where protecting data is a daily focus. All our associates are required to complete annual security-related training, and we have daily reinforcement of the need to protect confidential data. Both our business operations and information technology groups include teams whose sole focus is the protection of your data.

Username and password requirements 

To help prevent unauthorized access, we prompt you to create a unique username and password when you first access your account. A password is a string of characters used to access information on a computer. Passwords help prevent unauthorized people from accessing files, programs, and other resources. When you create a password you should make it strong, which means it should be difficult to guess or crack. See below for hints in creating a secure password.

A strong password:

  • Is a minimum of eight characters long
  • Includes numbers, symbols, uppercase and lowercase letters
  • Does not contain your username, real name, or company name
  • Does not contain a dictionary word
  • Is significantly different from previous passwords
  • Is unique to the website; do not reuse password between multiple websites

Customer verification 

Whether you visit us online or contact us by phone, we always verify your identity before granting access to your accounts.

Strong encryption

Transport Layer Security (TLS) technology is used to establish an encrypted connection between your browser and our Web applications. TLS websites start with “https://” instead of “http://” and signify that you are in a secure online session with us. Your address bar should change color and display an icon indicating a TLS session. For your protection, we require current versions of all modern browsers in order to support these measures.

Systems surveillance 

We’re on the lookout for irregularities across our network and infrastructure all day, every day. We use advanced tools to protect and monitor our environment, and have staff whose sole role is ensuring that our systems are secure.

Firewalls 

Firewalls are protective barriers that defend our networks and computer systems from hackers and cyber-attackers trying to gain access to our systems. We use some of the strongest firewalls available to guard the information housed on our servers.

Logging

System activity is logged on our secure servers in order to preserve the information necessary to validate the transmission of data or the completion of a transaction.

Restricted access to data

We limit access to systems containing customer data to only those employees who need it to conduct business or support key business functions. Access is continually reviewed and only granted to new associates whose roles require it.

Employee education
We make sure that our employees know and adhere to our security policies. All associates participate in ongoing, up-to-date security training, with special emphasis on handling sensitive data and awareness of the latest security risks.

Regularly refine and update security features

We regularly review industry security standards and perform system testing to help identify and implement the most up-to-date techniques and technologies, and to verify that our systems are performing as expected.

Data loss prevention

Ascensus uses data loss prevention technology to gain insights into information flows both inside and outside of our systems. It allows us to block unauthorized or non-secure transfers of sensitive information outside of our environment.

Penetration tests, web application assessments, and network vulnerability scans

Ascensus contracts with leading security firms to perform annual testing of our environment, including our websites, to ensure there are no issues that could lead to a data breach. Any potential problems are addressed by our security team in a timely manner. Additionally, we perform our own testing monthly to help identify interim concerns.

Physical security controls

Electronic card access is provided throughout Ascensus facilities. A receptionist or security professional is on duty in the main lobby of each facility with a data center during office hours. This person checks visitors’ IDs, issues temporary badges, and administers a sign-in log. Entry doors are locked outside of business hours. A list of individuals who have access cards is maintained on a daily basis. Physical access to our data centers is highly restrictive and motion-activated CCTV recordings are enabled on entry doors.

Secure destruction of client data

Ascensus maintains robust destruction methods to ensure secure disposal of paper or hardware that may contain client data. We contract with bonded vendors that dispose of hardcopy documents that are placed in locked shred bins. Our vendor for destruction of hard drives and other electronic media is also bonded and meets or exceeds all government security requirements for secure disposal – and recycles 100% of the material.

Security Actions You Can Take

While we strive to keep your information and transactions secure, there are also actions you can take. The following are some best practices.

Protect your account

  • Create unique and strong passwords; do not reuse passwords between websites.
  • Do not use any portion of your Social Security number for a password or PIN.
  • Review your credit reports at least once a year. Verify that information is current and accurate and that it includes only those accounts and activities you’ve authorized. Work with the credit reporting agencies to have any inaccurate information removed.
  • Store your Social Security card, other identification cards, checks, and accounts statements in a safe and secure location.
  • Do not carry your Social Security card, passport, or birth certificate with you unless absolutely needed.
  • Do not share your personal or financial information over the phone or in person unless you can confirm that the individual and company are legitimate.
  • Frequently monitor your financial accounts and report any suspected fraudulent transaction immediately.
  • Retrieve and review your mail promptly.
  • Shred financial documents that are no longer needed, as well as pre-approved credit offers, receipts, and other documents that may contain financial and personal information.

Protect your computers, cell phones, and other mobile devices

  • Install and set your anti-virus and anti-malware software to update automatically.
  • Activate all operating system security features on your Internet-capable devices.
  • Make sure your personal computer and home network are properly protected from malware by setting up your firewall. Check to see that the firewall has been properly installed — or enabled if it came bundled with your operating system.
  • Make sure to keep your web browser software up to date.
  • Keep the operating system for your computer or mobile device up to date.
  • Never leave your computer, cell phone, or other mobile devices logged on and/or unattended in public.
  • Password protect and lock your computers, cell phone, or other mobile devices when not in use.
  • Only download applications from reputable sources. Be suspicious when installing applications that require you to provide information that has nothing to do with the application’s purpose.
  • If you believe your mobile device is infected with malware, contact your service provider.

Keep your information secure

  • If you doubt the authenticity of any email which appears to be from your plan, plan administrator, or involves your account, attach those suspicious emails to a new email and send them to your plan’s client service team. Then, be sure to delete the suspicious emails from your mailbox, including the Sent Mail folder.
  • Do not click links or attachments if an email seems suspicious, especially if they emphasize urgent action. This is known as scareware and intended to make you react without thinking.
  • Do not give out personal information. Check a website’s privacy policy before you give them your email address.
  • Create strong passwords. Make your password hard for others to guess by using a combination of letters, numbers, and symbols that are meaningful only to you. Avoid using the same password for multiple websites, particularly financial websites, and be sure to change your password often (at least annually).  See also “Create a strong password” below.
  • Consider using a password manager (software to securely hold multiple passwords).
  • Never share your password with anyone.
  • Do not include personal or sensitive data in an email.
  • Monitor your account activity closely and watch for unusual activity.
  • Promptly review all transaction confirmations, account statements, and any email or paper correspondence sent by your plan.
  • When you finish your online and/or mobile banking sessions, be sure to log out. Simply closing the browser window does not accomplish this. Look for a button that says “Log Out” before you close your browser.
  • Shred documents containing personal information.
  • Be aware of your surroundings when making purchases or using the ATM. Thieves have been known to copy credit card information or discreetly take pictures of cards while you have them out.

Practice safe web browsing

  • Only allow popups from sites that you authorize.
  • Only make online purchases using secure sites that encrypt your information. Instead of following links, go directly to the store’s website and navigate to find the special sale items. To help ensure that your information is protected when shopping or banking online, look for an icon that looks like an unbroken key or closed padlock at the bottom of your web browser or within the address bar. When you are asked to provide payment information, the beginning of the site’s web address should change from “http” to “https”, indicating that the purchase is encrypted or secured.
  • Never access a website from a link in a suspicious email.
  • Access financial sites by typing the address directly into the browser’s address bar, instead of clicking a link. Once you’ve typed the address into your browser, bookmark the site. By doing this you can reference the bookmark the next time you need to log in without having to retype the address into your browser.
  • Think before you click. Be cautious about clicking links, especially in emails, and be sure they link to a trusted website. Get in the habit of hovering over links to see the underlying web address. If you’re unsure about a link, you can go to the firm’s website by typing the correct address in your web browser.
  • When buying online, look for online merchants who are members of a seal-of-approval program that sets voluntary guidelines for privacy-related practices, such as TRUSTe, Verisign, or BBBonline.
  • Be extremely careful when using public computers to access financial and other sensitive personal information online. If possible, instead use only known devices, such as your own personal computer which you know has the necessary protections and security features installed.
  • Do not save private information onto public computers. If you’re accessing a private account at the library or another public place, be sure to sign out completely from your accounts and don’t autosave sign-in information such as your username or password.
  • Be wireless-wise. Don’t use public Wi-Fi to access financial websites, business-related documents, or other personal information. When setting up your home network, follow the manufacturer’s security recommendations to ensure your wireless signal is properly encrypted.
  • Be cautious of clickable advertisements, pop-up windows, or fake dialogue boxes with urgent messages. These are often tactics that fraudsters use to steal your personal information.
  • Be aware of the risks of social media. While it’s a powerful tool to connect to friends and loved ones, use caution in what you post.
  • Configure platform privacy settings so only known and trusted people can follow you
  • Don’t post pictures from vacations until you return. Otherwise, you are telling anyone accessing your profile that you are not home.
  • Don’t share information that fraudsters may find useful, such as answers you may have used to security questions. Common security questions include the name of the street you grew up on or the name of a childhood teacher.
  • Beware of phishing attempts and unsolicited requests; these don’t just happen via email. They can also arrive via social media. Be suspicious of messages or promotions you did not sign up for.
  • Always log out of the website before you close the window. Online fraud can happen when you move from one website to another without logging out of the previous one. When you are logging into a secure website, do so in a new browser window.

Create a strong password

  • The strongest passwords are long and employ a mix of numbers, upper and lowercase letters, and special characters. Passphrases are typically longer than passwords for added security, and contain multiple words that create a phrase.
  • Your password shouldn’t contain any personal or easily attainable information, such as your name, your birthday, Social Security number, or wedding anniversary. In addition, don’t use a component of your username in your password.
  • Make sure you use different and unique passwords for all of your online accounts. Reusing a single password for multiple websites is never a good idea. If a hacker obtains your password, the first thing he or she is going to do is check whether or not that password works for other websites. It’s also a good idea to periodically change your passwords.
  • Do not give out your passwords to anyone, including family members.
  • Remembering a multitude of unique passwords is difficult, and writing them down on paper isn’t secure. Consider installing a password manager. A password manager is a software application that helps a user store and organize passwords. It stores the passwords encrypted, requiring the user to create a master password, a single, ideally very strong password which grants the user access to their entire password database.

Stay informed on the latest fraud threats

  • Phishing is a cyber-threat by which individuals send messages to gain personal information (credit card numbers, bank account information, Social Security numbers, passwords, or other sensitive information) from unsuspecting victims. Phishing may occur through fraudulent emails, fake websites, text messages, or direct phone calls claiming to be a financial institution, or another company you have a customer relationship with, asking you for your personal information.
  • SMiShing is the cell phone version of “Phishing”. Using fake company emails, scammers send text messages that appear to be from well-known companies but contain links to counterfeit web pages made to look nearly identical to legitimate companies’ sites. The text messages suggest that there is an urgent need for you to take action to update personal information to avoid an unwanted service charge or another potential threat to your account. The websites then ask you to enter financial and personal information – such as user IDs, Social Security numbers, bank or credit card account numbers.
  • Malware, short for “malicious software,” includes viruses and spyware. These are small software applications which can be installed on your computer, phone, or mobile device without your consent. Malware is used to steal your personal information, send spam, and commit fraud. Without your consent it can download itself during a transaction via your online session and attempt to steal your sensitive data.
  • Many legitimate charities use telemarketing, direct mail, email, and online ads to ask for contributions. However, following major disasters, scammers send email purporting to be from a charitable organization, urging consumers to follow a link and donate, or even send cash. Email may also come from individuals claiming to be a victim asking for a donation.

Criminals are using new schemes that incorporate old techniques to try to trick people into providing personal information or account details. These social engineering attempts include use of sophisticated email and text messages appearing to be from legitimate sources and phone calls appearing to be from authentic individuals or service providers, etc. Carefully scrutinize any requests to divulge personal or account details. Understand your surroundings and be wary of those watching and listening. If you can’t verify a request or confirm that it is authentic, take the utmost caution in releasing any information.

Don’t forget your U.S. postal mail

Even if you conduct a lot of business online, you still need to keep an eye on your physical mailbox.

    • Open all mail from us immediately. We’ll mail account activity confirmations (if you elected to receive them via U.S. mail). We’ll also mail you any updates to your personal information, such as an address change, to confirm the changes.
    • Let us know immediately if your physical mailing address changes. If you are an active employee of your company, your employer will alert us to address changes, but please be sure they are getting the update immediately to pass to us. If you no longer work for the employer that sponsored the plan, please let us know immediately of an address change.
    • Shred financial documents and paperwork with personal information before discarding them.

  • Contact the Postal Service if you haven’t received any U.S. mail for several days as it could be a sign of someone intercepting your mail to either stop you from receiving a timely notification about your account or to steal a check, credit card, or other valuable.

Identity Theft

Identity theft involves the impersonation of an individual through the fraudulent use of his or her personal and account information — e.g., driver’s license, Social Security number, bank account and other numbers, as well as usernames and passwords.

Identity thieves obtain information in a number of ways:

  • From the trash
  • By stealing mail, purses, and other personal items
  • By copying credit card or other information during a transaction
  • Through phishing attacks
  • By submitting false address changes

Avoid being a victim of a social engineer or scam artist by being an educated and aware online consumer. Learn more by visiting OnGuard Online, a service of the U.S. Federal Trade Commission and other federal agencies. OnGuard Online provides information about avoiding scams, understanding mobile apps and Wi-Fi networks, securing your home computer, and protecting family members.

If you are a victim of an Internet crime, report it to the Internet Criminal Complaint Center, a service of the U.S. Federal Bureau of Investigation and the National White Collar Crime Center. You should also report attempted identity theft to the local authorities as well as to the Federal Trade Commission’s Complaint Assistant Application.

Monitor your accounts for fraudulent activity

Contact us immediately at AscensusFraud@ascensus.com if you suspect fraud. Also, let us know if you’ve been a victim of identity theft within the past 12 months.

Identity theft prevention and protecting your personal information

While there is no way to completely eliminate the risks of fraud or identity theft, there are things that you can do to help protect yourself and minimize the risk.

  • Protect your Social Security number. Remove your Social Security number printed on anything—such as checks. Don’t keep your Social Security card not in your wallet, but rather in a secure place within your home.
  • Don’t give out personal information to unknown callers. If an unknown caller asks for your personal or financial information, tell them you will call them back to confirm the inquiry, and then either verify that the company is legitimate, or if it’s a bank or credit card company, call them back using a number from your bill or your card.
  • Regularly review bills and account statements. Make sure you recognize and authorize all charges, checks, and/or withdrawals. If a regular bill doesn’t arrive, call the company to find out why—it could mean that a thief has redirected your mail to another address.
  • Protect important documents at home. Keep your personal information and important documents in a secure place in your home, like a locked file cabinet or a safe.
  • Shred documents containing personal information. Once you’ve paid your bills and reconciled your accounts, shred old account statements, bills, receipts, pre-approved credit offers, and other documents that contain personal information before you throw them away.
  • Protect your mail from theft. Don’t leave outgoing mail (like bill payments) in an unsecured mailbox. Use a locking mailbox or take it to a post box or your local post office. If you are planning to be away from home, call or go online to contact the U.S. Postal Service and request a vacation hold.
  • Streamline your wallet.Carry only the credit and/or debit cards, checks, and/or cash that you need for the day.
  • Be aware of your surroundings.Be conscious of people standing nearby when you are making purchases or using an ATM. Thieves have been known to copy credit card information or take pictures of cards with the camera of their mobile device.

Check your credit report regularly (at least once each year). Make sure the information that it includes refers only to those accounts and activities you’ve authorized.

If You Suspect Fraud

If you think your accounts were compromised, we want to know. Please take the following steps:

Contact us immediately

Send an email to AscensusFraud@ascensus.com
Conduct a full security scan on all your computers and mobile devices

Malicious users will install software (malware) including keyloggers and screen scraping tools that will allow them to capture your usernames, passwords, and other sensitive information you enter. Install a malware/anti-virus program and scan your system. If you have a program installed already, verify it is enabled (malware can disable it), confirm it is updated to the most recent version, and initiate a manual scan. You need to make sure you’ve removed any malicious code from your computers and devices before completing the next steps.

Change your credentials on all websites you log in to

To keep a malicious user out of your accounts, change your password and security questions on all websites. Pay special attention to changing your password and other related information used to log into your email and social media accounts as access to these will often allow access to other websites via password reset and single sign on functions. Since many people use the same credentials on several accounts, it is important to change them universally and not just on specific accounts. Use a unique password for each website. Creating and managing secure passwords can be difficult so leverage a password manager tool to help you generate and save them.

Alert the three major credit bureaus

These companies monitor your credit activity and can block people from opening accounts using your information. Contact each credit bureau using the Internet sites and/or phone numbers below:

Equifax: 888-766-0008

Experian: 888-397-3742

TransUnion: 800-916-8800

If you suspect phishing

Do you suspect phishing?

If you received an email claiming to be from Ascensus requesting your private information, please forward it to phish@ascensus.com immediately and let us know if you clicked any of the links in the message and/or entered your personal information on a website.

Stay vigilant

Malicious users will often share or sell breached data such as usernames, passwords, email addresses, and ties to online services to help other malicious users carry out new attacks against individuals. Look out for targeted phishing emails. Also, do not reuse old passwords after any period of time as they may be tried again months or even years later.

Asset Protection Policy

Ascensus is committed to working with you to protect your savings. If assets are taken from your account in an unauthorized online transaction on your account website—and you’ve followed the steps described in the Your responsibilities section below—Ascensus will reimburse assets taken from your account in the unauthorized transaction, subject to the terms and conditions described below. By working together, we can help maximize the safety of your accounts and your personal information.

Your responsibilities
At  minimum, in order for this protection to apply, you are required to take the following steps:
Review and maintain your accounts.
  • Check your account at least monthly and promptly review all account statements, transactional confirmations, contact information, and other account information we send you, electronically or via hardcopy, immediately upon receipt. Report any errors or discrepancies in your account and any suspected unauthorized transactions or account changes to Ascensus as soon as possible, but no later than 30 days after that information is posted to your account or delivered to you.
Protect your user name, password, and other account-related information.
  • Make sure your user name, password, and answers to your security questions are unique and strong. A unique and strong password is one that cannot be easily guessed if your personal information is compromised. A strong password is also not reused across multiple sites.
  • Never store your user name, password, or answers to security questions in your browser, or print and store them in an insecure location, and always use multi-factor authentication when available.
  • Clear any temporarily stored security information by closing your browser after logging out. Do not leave your computer unattended while logged in to your account.
  • Never check your account from a public computer; for instance, at a library or hotel.
  • Report any suspected compromise of your username, password or other account-related information to Ascensus immediately.
Protect your computer.
  • Make certain any computer you use to access your account has up-to-date security and anti-spyware, antivirus, and firewall software.
Do not reply to e-mail requests for personal or financial information.
  • If you suspect an e-mail is fraudulent, do not respond to it, open an attachment to it, or click a link within it. We will never ask for personal information such as your Social Security number, account numbers, or passwords in an e-mail.
  • Please immediately report to us any email that appears to be from us and that asks for this information. Do not use a link in the suspect email to report the activity.
Cooperate with us and stay informed.
  • Cooperate fully with us in investigating and prosecuting any unauthorized activity in your account, and follow our recommendations about how to protect your account. We may require you to file a police report, complete a notarized affidavit, and/or permit us access to your computer. Ascensus will determine the applicability of reimbursement based on the facts of your situation. Ascensus will not cover taxes, legal fees, lost opportunity costs, consequential/non-monetary damages or amounts that have been or are eligible to be reimbursed by another party.

Details regarding this protection:

This protection applies only to your account serviced by Ascensus, and only in those cases where you have fulfilled your responsibilities. This protection does not apply to unauthorized activity caused in whole or in part by your fraudulent, intentional, or negligent acts or omissions, including activity by a person whom you have intentionally or negligently permitted to transact in your account, or to whom you have intentionally or negligently given access to security information relating to your account. This protection does not apply to unauthorized account activity or account access by an employer, plan sponsor, or any other representative who is authorized to access your account but is acting outside the scope of his or her authority. This protection does not apply in instances where the fraud occurred after a payment correctly left an Ascensus facility; for instance, stolen US mail. Users must ensure their method of mail receipt is secure.

Ascensus will determine the type and amount of reimbursement, including whether to restore to your account cash and/or shares of securities equal to the amount of cash and/or shares of securities in your account at the time of any unauthorized activity. We will determine whether to reverse unauthorized trades and reinstate positions as held at the time of any unauthorized activity. This protection does not cover: any legal or other professional fees or expenses; or any special, indirect, incidental, consequential, non-monetary, punitive, exemplary, lost profit or lost opportunity damages; any taxes, fines or penalties; or any amounts that have been or are eligible to be reimbursed by another party.

Ascensus may seek restitution for reimbursements made to you from the person(s) or entity that committed the unauthorized activity. Ascensus may, at its discretion and as a condition of this protection, require that you assign to Ascensus certain rights you may have regarding your loss and/or sign a release form. You may not assign any rights to this protection from Ascensus to any other individual or entity.

If you have questions regarding the Asset Protection Policy, or have a fraud related issue of any kind that you need to alert us to, please either call our Participant Services Team or email us at  AscensusFraud@ascensus.com