Defend Your Retirement Plan Against Cyber Crime
If any of your employees have ever applied for a credit card, shopped at Target, or stayed at a Marriott, there is a very real possibility that, due to some recent large data breaches, their personal information is now available to anyone motivated enough to go on the dark web and buy it.
To a cyber criminal, the retirement plan industry looks like a big candy store with over five trillion dollars in liquid assets protected by largely automated systems. Armed with an employee’s name, social security number, date of birth, address, and any personal information available on social media, a motivated criminal may be able to pose as an employee and “hack” your corporate-sponsored retirement plan benefit. Not surprisingly, since these large-scale data breaches occurred, industry insiders report a sharp increase in the number of attempts to steal retirement plan assets.
Sophisticated criminals, with little fear of being caught, use stolen personal data to gain access to participant accounts. Relying on participant inattentiveness, they change the contact information on file. Sometimes they pose as an employee to your plan’s help desk, asking to withdraw or borrow money for some imaginary emergency. Other times they withdraw funds using the automated systems in place. They request the money be wired to a domestic bank account and then quickly move the money offshore, never to be seen again.
As a plan sponsor, it’s important to not only recognize the rising risk of cyber crime, but also proactively defend your plan and its participants. Here are some action steps you should consider:
1) Investigate your retirement plan distribution processes
Plan participants have several ways to withdraw money from their accounts including loans, in-service distributions, and distributions upon employment termination. To understand the security of your plan, you must understand the processes in place for obtaining money through these distribution channels. Many plan sponsors have fully automated processes in place to ease the administrative burden of the plan. Depending on the structure of your organization, you may want to consider interrupting a fully automated process with an additional confirmation step handled internally. Most importantly, however, you as a plan sponsor should have a complete understanding of the processes in place to withdraw money from the plan and fully consider any risks that may lead to fraudulent distributions.
2) Facilitate a security discussion with your service provider
To demonstrate a prudent plan oversight process, reach out to your service provider for a cyber security “check-up.” Note concerns about the sharp increases in cyber crime related to retirement plan assets and ask if your plan is doing everything it can to keep these risks at bay. Include specific discussion of:
Advanced Security Measures – If there are additional platform features to enhance security, learn about them. Dual factor authentication is now standard on most platforms. Additional voluntary safeguards are available from certain service providers such as account lock features and biometric/voice recognition software. If your security measures are confirmed to be up to protocol, ask the service provider to deliver written confirmation as a way to document your prudent oversight efforts.
Available Legal Protections – Unlike money deposited with a bank, there is no Federal regulation or insurance standing behind retirement plan deposits. Generally speaking, retirement plan recordkeepers, whose systems are relied upon to protect plan assets, say they will cover 100% of any losses due to unauthorized access. Caveats abound regarding what conditions must be satisfied to demonstrate the theft was not the result of user carelessness or inattentiveness.
Some plan service agreements state, “We will reimburse you for 100% of the assets taken.” Then the fine print states, “Our obligation to reimburse applies only in the event such unauthorized activity is due to our failure to implement our contractually agreed upon security protocols.”
For this reason, ask your service provider about their policies for account reimbursement. Understand under what circumstances your provider would not make a participant whole following a successful breach. Armed with this knowledge and an awareness of the language included in your contractual agreement, you will have a better grasp of the legal protections available.
3) Proactively communicate with plan participants
Cyber criminals depend upon participant inattentiveness making it imperative to educate your participant population. Suggest they check their account regularly and make sure they are properly connected with your plan’s service provider. Advise them to keep a look out for any unauthorized activity. All retirement plan recordkeeping platforms attempt to notify the account holder when changes are made to their account. Participants need to confirm they will receive any such notifications in a timely manner.
Additionally, providing participants basic cyber security reminders is also impactful. Participants should ensure the integrity of their account log-in information by regularly changing their passwords. Accounts should be accessed via secure wireless networks as opposed to public Wi-Fi. Caution is also necessary when it comes to email communications. Messages which require clicking a link or opening an attachment from an unknown source are scams cyber criminals frequently use to obtain sensitive information. Installation of anti-virus, anti-malware, and firewall software help prevent hacking.
Proactive communication regarding cyber crime raises participant awareness. Along with basic steps to safeguard accounts, participants can be better equipped to monitor and identify potential threats.
4) Understand applicable insurance coverages
After taking these steps internally, with your service provider, and with plan participants, you should still be prepared to address what happens in the event of a successful cyber attack. If a security breach creates a participant loss and your service provider refuses liability, determine whether any of your existing insurance coverage would apply. If not, inquire with your current insurance providers about the availability of any specific coverage that would make participants whole in case of a successful breach of your retirement plan.
With cyber attacks on the rise, plan sponsors must recognize their responsibility to protect participant assets from this threat. As a plan fiduciary, you can demonstrate a prudent plan oversight process by proactively investigating your distribution processes, working with your service provider to ensure adherence to all available security protocols, and communicating with plan participants to raise awareness of the threats which exist. In this way, you provide the best defense for your retirement plan benefit.