Cybersecurity Threats and Retirement Plans

Posted on Aug 20, 2018

Are you at risk of a cyber-attack? The answer to that question is yes. Millions of credit card numbers and other forms of personal information are stolen from individuals and businesses every year, and identity theft is one of the fastest growing crimes in the country. Many people are aware of cyber threats such as phishing, malware and ransomware. However, what happens if an employee receives a genuine-looking email regarding his/her retirement plan and provides information that results in theft of the funds? What if criminals use personal information to make fraudulent transfers from clients’ 401(k) accounts? Last year’s Equifax breach exposes approximately 143 million Americans to identity theft and account takeovers, including bank and retirement accounts.

Sometimes the thieves are insiders who have access to bank information and social security numbers. In June 2018, a class action lawsuit was filed by retirees against the Denver-based Matrix Trust Company, the trustee of several university retirement accounts. More than $11 million was allegedly stolen from several retirement plans by Vantage Benefits Administrators, which provided recordkeeping services.[1] Breach of fiduciary duty, breach of contract, and ERISA violations are just some of the charges that can be levied against retirement plan service providers and recordkeepers whose actions, or inactions, lead to theft from retirement plans.

Best practices regarding cybersecurity and data protection are critical, particularly since retirement accounts hold large amounts of money and a gold mine of sensitive data about plan participants. Sophisticated criminal rings that gain access to accounts have been successful in making unauthorized distributions, loans, or transfers. While there is currently no comprehensive federal law that governs cybersecurity for benefit plan service providers, the consequences of criminal activity can be severe. Security breaches and theft can expose plan administrators and their service providers to state and federal fines, lawsuits by participants, and damage to the company’s reputation.

The ERISA Advisory Council has identified four major areas for service providers to develop effective practices and policies:[2]

1.    Data management, including protection and control of personal information

2.    Technology management, including maintaining current technology and security systems

3.    Service provider management, such as conducting due diligence on the data security plans of vendors

4.    People issues/training, such as properly training and managing employees

The ERISA Council recommends that plan sponsors establish a strategy to manage cyber risks and consider insurance that provides protection for participants against financial damage in case of a breach, coverage of costs related to required breach notifications, and other possible penalties.

Education for plan participants on account security is also important. Plan participants should check their retirement accounts often to ensure accuracy of their balance, address, and other identifying information. Strong passwords, email notifications regarding account changes, security questions that are difficult for hackers to guess, and two-factor authentication for account access are additional ways plan participants can protect themselves. Unfortunately, there is no magic bullet for companies or individuals when it comes to cybersecurity; the reality is constant vigilance and proactive steps to mitigate risk.