401k Plan Cybersecurity Concerns Are Growing
401k Plan cybersecurity continues to grab more attention to plan fiduciaries. Online platforms and mobile apps are becoming retirement plan participants’ method of choice for keeping tabs on their workplace retirement plan accounts. That also means 401k plan cybersecurity is a growing concern. Given that the majority of participants are online, plan communication platforms are highly susceptible to 401k plan cybersecurity issues, such as cyber-attacks and data breaches. With 401(k) plans holding $5.7 trillion in assets as of March 2019, per the Investment Company Institute (ICI), retirement plans are especially vulnerable to 401k plan cybersecurity concerns, according to the Society for Human Resource Management (SHRM). Says SHRM, it may be only a matter of time before there will be a “successful, large-scale cyber-attack on retirement plans.”
Specifically, 401k plan cybersecurity thieves could first target employees’ retirement accounts to steal their sensitive information (i.e., Social Security numbers, dates of birth, etc.), which could potentially lead to identity theft; or steal their retirement savings via fraudulent online transactions. To date, there is no federal law that addresses 401k plan cybersecurity duties for retirement plan fiduciaries. In the recent past, Congress has pressed the Government Accountability Office (GAO) on improving cybersecurity measures, but the federal government is still lagging when it comes to taking comprehensive and decisive action to prevent cyber attacks. ERISA, the law that governs workplace retirement plans, is silent on issues of cybersecurity — no surprise, given that the Act was written in the 1970s. That said, ERISA does impose certain standards of care on plan fiduciaries, SHRM noted:
“Fiduciaries owe a duty of loyalty to plan participants and must discharge their duties solely in the interest of plan participants and beneficiaries. Ignoring online threats could potentially violate this duty.”
Fiduciaries must act prudently, with the care, skill, and diligence that similarly situated fiduciaries might use. If various 401k plan cybersecurity protections have become standard practices for plan fiduciaries, then a fiduciary risks breaching this duty if it fails to implement similar safeguards.”
As such, plan sponsors should take action to safeguard digital and online retirement plan platforms against cybersecurity vulnerabilities, particularly when it comes to those that provide access to sensitive data and participant assets. It is also important to periodically evaluate cybersecurity best practices as technology evolves.
SHRM suggests Plan sponsors and plans fiduciaries should consider the following steps to proactively protect participant and plan data against potential 401k plan cybersecurity breaches:
Education: Plan fiduciaries should educate themselves and participants about cybersecurity threats and how to protect retirement plan assets against them. Participant education efforts should include important information about password security and security measures such as two-factor authentication. Participants should also be reminded to check their accounts regularly for signs of 401k plan cybersecurity concerns, including fraudulent and unauthorized transactions.
Negotiate cybersecurity protections: Plan fiduciaries should negotiate and periodically revisit 401k plan cybersecurity provisions in their service agreements with third-party providers, such as recordkeepers.
Monitor service providers: Plan fiduciaries have a responsibility to prudently select and monitor service providers. As such, they should have a good understanding of the cybersecurity measures their service providers are taking to protect sensitive participant and account information.
Understand internal risks: Cybersecurity risks can also come from within, so employers should periodically review and assess their own measures for protecting participant and account data against 401k plan cybersecurity attacks.
Plan fiduciaries should also document their efforts to shore up 401k plan cybersecurity. While the regulations are mostly silent on the duties of a “digital fiduciary,” it is prudent for plan fiduciaries to be able to show a demonstrable, documented process when it comes to protecting retirement assets via proactive cybersecurity management procedures.