Cybersecurity Risk Management 401k Auto Features
Cybersecurity risk management is no longer an issue plan sponsors can ignore. Auto-portability may be an answer to one of the 401k plan sponsors’ cybersecurity risk management concerns. Yes, cybersecurity risk management solutions may be available via the 401k auto features that knowledgeable retirement plan advisors have been touting for the past 5 years. Surprisingly, the technology that makes 401k auto-portability possible may also enhance existing industry best practices that protect plan participants’ personal data, according to a recent Employee Benefit News article by Spencer Williams.
401k Auto-portability is the routine, standardized and automated transfer of a retirement plan participant’s 401(k) savings account balance from their former employer’s plan to an active account in their current employer’s plan. The technology uses to locate and match algorithms that work in tandem to find participants with multiple 401(k) accounts, confirm their identities, and get their consent to rollover small-balance accounts. 401k Auto-portability enables the consolidation of several accounts, which reduces the number of accounts in the 401(k) system, thus resulting in making a participant’s data more secure. In addition, consolidation reduces the number of systems that house a participant’s sensitive data. It also encourages participants, recordkeepers and plan sponsors to be more diligent when it comes to tracking accounts.
The broad-based retirement services industry does not currently have a legal paradigm for cybersecurity. However, the Simsbury, Connecticut based SPARK Institute, a retirement policy center, compiled a list of cybersecurity best practices for retirement plan recordkeepers. It is well worth noting that 401k Auto-portability, went live in 2017, conforms to SPARK’s cybersecurity guidance.
SPARK Institute suggests taking the following steps to address cybersecurity issues:
– Encrypt all sensitive information subject to auto-portability using Advanced Encryption Standard 256-bit encryption, an industry standard developed by the National Institute of Standards and Technology. There is no known type of cyberattack that can read AES-encrypted data without having the cryptographic key.
– Never combine a Social Security number with other personally identifiable information in any single file transfer. The objective should be to ensure there is never enough personal data in any single transmission for a hacker to use to steal an identity. In addition, any file with personal information should never include the identity of either the plan’s sponsor or the record keeper. That further thwarts a hacker from accessing an individual participant’s retirement account.
– Know that auto-portability supports multiple methods of exchanging secure data.
– Ensure that any information flagged during the locate-and-match process that doesn’t adhere to certain criteria requires additional verification to confirm an identity.
– Conduct full address-location searches to ensure that the correct participant is found and properly matched to multiple accounts.
Lawmakers are also taking a more active stance in discovering what’s being done to protect 401k retirement plan participants’ sensitive information, particularly at the federal government level. In a recent letter to the Government Accountability Office (GAO), Senator Patty Murray, D-Wash., and Congressman Bobby Scott, D-Va., asked 10 key (multi-part) questions about retirement plan cybersecurity. (Read our previous 401kTV article and coverage here.)
Cybersecurity breaches are becoming more and more common. Even Facebook was hacked, leaving the personal data of 50 million of its users vulnerable to cybercrime. The more participants who leave stranded, small-balance accounts behind when they move on to a new employer, the greater the likelihood they will be vulnerable to a cybersecurity risk management breach.
One way to protect participants’ data and themselves from cybercriminals is for plan sponsors to embrace 401k auto-portability to lessen the instances of small-balance accounts and missing participants. By doing so, plan sponsors can fortify their cybersecurity risk management safeguards. In an era when cyber attacks are becoming ever more complex and challenging, plan sponsors would be wise to embrace heightened cybersecurity risk management measures. As such, 401k auto-portability is one solution plan sponsors should strongly consider.