Most 401(k) plans have access to a large pool of funds, making them an attractive target for cybertheft. And while stolen funds are devastating, unauthorized transactions aren’t the only goal of cybercriminals. 401(k) accounts contain a plethora of sensitive personal information that can entice hackers interested in perpetrating identity theft and other forms of fraud. Because of these risks, it’s important for fiduciaries to understand cybersecurity and to follow established safety protocols aimed at keeping their plans secure.
Growing Risks for Plans
According to a 2022 survey by Callan, cybersecurity is a top concern for plan sponsors, and nearly a third of sponsors polled stated that they intended to review and audit their plans’ security practices. Their concerns aren’t unfounded. While the exact number of cyberattacks on 401(k) plans is unknown, successful breaches can be highly damaging. For example, one lawsuit alleged that more than $245,000 was stolen from a retirement account over a two-month period.
Multiple Avenues of Attack
Most people know not to share passwords or use public computers to check sensitive information. But even if participants and fiduciaries follow these basic protocols, they might still be at risk. One of the most common forms of cyberattack is phishing, where a cybercriminal sends a fake message that resembles official correspondence and baits the recipient to enter their personal information. But in addition to phishing, hackers could target the plan’s hosting servers directly to gain access.
Some of the concerns about cybersecurity are around the plan assets themselves. As more plans begin to offer cryptocurrency options, some experts worry that this could make 401(k) accounts even more vulnerable – in fact, a 2021 study showed that cyberattacks on cryptocurrency were among the top three types of crime reported to the FBI.
DOL Guidance
The Department of Labor (DOL) has issued guidance for plan fiduciaries that outlines their responsibility to ensure their plans are safe and provides best practices for cybersecurity. The DOL clarifies that ensuring cybersecurity is part of a fiduciary’s duty to protect plan participants, and many of the techniques that they recommend involve regular security checks and procedural clarity. The department states that plans should have a clearly outlined security procedure and access protocols to ensure that no one can access plans except participants and fiduciaries. They also recommend strong and up-to-date data encryption, regular security training and audits and strict vetting for service providers.
By adopting the DOL’s recommended practices, fiduciaries can provide an extra level of safety and security for plan participants. Sponsors should have processes in place to address breach notifications, system restoration and the evaluation of service providers with cybersecurity in mind. Just as risk is inherent in markets, it will always be present in the online management and administration of retirement plans. It’s therefore incumbent upon plan sponsors to adopt prudent processes to detect and deter breaches as well as mitigate damage resulting from cyberattacks.
Sources:
- https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/best-practices.pdf
- https://www.plansponsor.com/cybersecurity-preventing-plan-leakage-top-mind-sponsors
- https://www.cnbc.com/2021/03/16/labor-department-falls-short-on-401k-cyber-protections-gao-says.html
- https://info.groom.com/28/837/uploads/best-practices.pdf
- https://www.techtarget.com/searchsecurity/feature/Cryptocurrency-cyber-attacks-on-the-rise-as-industry-expands
Plexus Financial Services, LLC (“PFS”) is a member of Retirement Plan Advisory Group™ (RPAG™). The consulting services described in this presentation reflect services that can be provided to your company as a result of our membership with RPAG. This includes, but is not limited to, investment due diligence, RFP and fee benchmarking, plan design and fiduciary review and communication services. RPAG is not in the business of providing legal advice with respect to ERISA or any other applicable law. The materials and information do not constitute, and should not be relied upon as, legal advice. The materials are general in nature and intended for informational purposes only. All content, including any brochures or other materials designed for potential use with plan sponsors, fiduciaries, and plan participants, must be reviewed and approved by the compliance and legal department(s) of the financial professional and/or firm prior to any use to confirm that they meet the firm’s legal and compliance policies and standards. The financial professional and his/her firm are solely responsible for the use of content and any materials included herein, and for ensuring that all services provided by the financial professional conform to the firm’s legal and compliance policies and standards.
PFS does not provide specific investment, tax, and/or legal advice and the information referenced/provided is not specific to any company’s or individual’s circumstances. These materials are general in nature and provided for educational purposes based upon publicly available information from sources believed to be reputable and reliable; we cannot assure the accuracy or completeness of these materials and as a result, personal diligence should be completed before relying or acting upon the information presented. Any general information referenced/provided is not to be construed as personalized investment, tax, and/or legal advice. Always consult an advisor, attorney and/or tax professional regarding your specific situation.
This communication is strictly intended for individuals residing in the states where PFS is registered and does not provide any information regarding any offers or services directly provided by PFS. The information referenced/provided is not to be considered an offer to buy or sell, or a solicitation of any offer.
You may request receipt of PFS’ Form ADV, Privacy Policy Statement, Code of Ethical Behavior, and/or Conflict of Interest Policy at any time by written request to communications@plexusfs.com. For additional details or questions regarding this or any information provided by or related to PFS please visit our website at www.plexusfs.com. PFS is located at 21805 W. Field Parkway, Suite 300, Deer Park, Illinois 60010. To contact us by phone please call (847) 307-6222.
PFS is a wholly owned subsidiary of The Plexus Groupe LLC. Advisory services are offered through Plexus Financial Services LLC, a registered investment advisor with the SEC which transacts business in states where it is properly registered, or is excluded or exempted from registration requirements, member FINRA www.finra.org, and the SIPC www.sipc.org. SEC registration does not constitute an endorsement of the firm by the Commission nor does it indicate that the adviser has attained a particular level of skill or ability.