Is Your Company’s Retirement Plan Safe from Hacking?

Many employees rely heavily on the money they put into their employer-sponsored 401(k) account to pay for their retirement. The last thing they want is for the money to be stolen by cyber thieves.

Cybersecurity is a growing concern. When Equifax, a credit reporting agency, was hacked in September 2017, hackers stole information that may be used to steal money from Equifax’s clients. The information included Social Security numbers, birth dates, addresses and driver license and credit card numbers.

The good news is that investment accounts such as a 401(k) are relatively safe. There are enough safeguards and daily asset management measures in place that a major investment firm likely will not see its accounts drained. The biggest threat to retirement accounts comes from how individual employees handle those accounts.

There is insurance you can purchase that will reimburse individuals up to $500,000 if the brokerage firm fails, but it does not protect your employees against theft or fraud. An individual could be reimbursed if money from their account is stolen, but it depends on whether they did their due diligence to protect the account and if they notify the brokerage firm quickly.

In short, it pays to be careful. There are several steps each party to a retirement account needs to take to keep the money safe. Here are some important ones for you and your employees to consider:

Plan Sponsor/Employer
A plan sponsor is an entity that implements a retirement plan, such as a 401(k), for employees.

If you are the plan sponsor, your responsibilities are to determine the benefit package, and, if necessary, amend or terminate the plan.

If your plan is cyber-attacked and funds are taken, you must replace the money if the breach can be traced back to your company and you did not take reasonable action to prevent the attack.

To protect your assets:
• Work with your chief data officer to prepare a written plan addressing cybersecurity weaknesses and ways to educate employees on avoiding 401(k) phishing. Phishing is an attempt to obtain sensitive information through electronic communications by disguising as a trustworthy entity. You also should have a plan to notify your employees if there is a breach.
• Report any account breaches immediately to the federal government. This will make it harder for the hackers to harm someone else’s business. You might think you’re opening your business to prosecution, but the Cybersecurity Information Sharing Act of 2015 gives companies more protection from liability when sharing information with the federal government about threats to their systems.
• Talk to your vendors about the security measures that they and their third-party vendors’ use to ensure they are complying with ISO 27001 and guidelines as recommended by the National Institute of Standards and Technology.
• Record the least amount of confidential information possible because the less you have, the less there is to be stolen. It’s not usual for employers to have employees’ Social Security, driver’s license or passport numbers; employees’ bank account information; legal name; and date of birth.
• Educate employees on avoiding phishing attempts and how to boost safeguards for their personal information. For instance, they should be wary of credit cards or loans they did not request. Employees also should check their financial accounts regularly for unfamiliar transactions. They also should request credit reports to make sure no unauthorized accounts have been started or loans made.
• Check if your vendor uses multifactor authentication, which requires account holders to present several pieces of information to prove their identity, as recommended by the U.S, Federal Financial Institutions Examination Council. This reduces the possibility that employees’ accounts will be hacked.
• Work with your financial planners to make sure they are watching employees’ accounts. They can spot problems, such as checking with employees about withdrawal requests. You can ask your advisor to verify any withdrawal requests over the phone before completing employees’ transactions.
• Your company’s 401(k) should only invest in traded securities, such as public funds, ETFs, stocks and bonds.

Plan Participant
A plan participant contributes to a pension plan or receives benefit payments from the plan. For a cyber thief to get a plan participant’s money from a 401(k) through a plan administrator, they must have the employee’s account information and request the distribution. You would then have to approve the distribution. The likelihood of that happening is slim. However, once an
employee retires, the information becomes easier to access.

Many major providers will cover employees’ accounts, but only if the employee can prove they didn’t play a role in the hack. For example, one provider expects plan participants to check their account frequently, but the term “frequently” is not defined.

The Securities and Exchange Commission recommends that individuals:
• Choose long passwords that include numbers and symbols that are different from passwords
used on other sites; and change passwords frequently.
• Don’t write passwords down. Instead, use password management software.
• Don’t share information with anyone.
• Keep account contact information up to date.
• Don’t use public computers for account transactions.
• Monitor the account regularly and report problems immediately.
• Allow account alerts that send a notification each time a transaction is made.
• Be aware that thieves can get more information by telephone or email — so don’t share personal information with strangers.

For help minimizing your cybersecurity risk, please contact us.