Employers unprepared for 401(k) plan data breaches
Many Americans know to delete a money wire email request from a Nigerian prince, but they might grant access to their 401(k) plan if they receive an alert from their plan sponsor — or so they thought.
The U.S. retirement model, which the Investment Company Institute valued at $5.3 trillion in 401(k) plan assets alone, has become of increasing interest to foreign hackers, typically the perpetrators of large-scale data breaches. However, companies, plan sponsors and plan participants are unaware or underprepared for the ramifications of a cyberattack, experts warn.
One problem: The current system focuses on who is liable — the plan sponsor or plan participant — in the case of a hack, rather than educating employees on the risks they bring to their own retirement savings.
“If a third party administrator’s system is breached because they don’t have good enough security in place, they need to put the money back. If the breach comes from the plan sponsor, they need to put the money back,” says Sam Krause, a Los Angeles-based counsel at law firm Crowell & Moring’s corporate, healthcare, tax, and labor and employment group. “They’re not looking at it as a fiduciary duty to protect those assets. It’s glaringly absent in these contracts: What happens when it is the plan participant’s fault?”
Krause and David McFarlane, a partner at the same firm, say that the courts will look to the plan sponsors and see if they fulfilled their fiduciary responsibilities under ERISA, and whether they took reasonable action to prevent phishing attempts. Even if the plan participants are not liable, they will see investment losses due to shortened time that the money can grow to its full potential. For retired workers, the effects of a cyberattack would be detrimental, the attorneys say.
“It would be a real catastrophe if people fell prey to these types of attacks,” Krause says. “These are not people who are drawing a paycheck regularly.”
Although 401(k) plan providers use robust — albeit standard, security measures — there are very few safe guards participants can implement, like an employee-enabled block on withdrawals for accounts less than 10 years old.
“Somebody should be able to say, ‘Unless I go through certain steps, money should not be taken out,’” Krause says.
The Securities and Exchange Commission recommends that plan participants pick strong passwords and change them regularly, add biometric screenings and two-factor authentications, use caution with Wi-Fi connections and public computers, and opt-in for account alerts. Those suggestions won’t help employees, however, if they think an alert about 401(k) misuse is coming from the plan sponsor instead of a hacker.
“We see a level of security in our practice, because we’re lawyers, that we don’t see in my 401(k),” Krause says.
Companies need to take a two-pronged approach in helping employees protect their assets.
The first is creating a written plan to address cybersecurity and thinking of the matter as technological, not just legal, the Crowell & Moring attorneys say.
“We do have clients that have come to us with this issue,” McFarlane says. “One of the things we are advising and helping our clients with is a response plan. How do you notify employees [in a timely manner]?”
The attorneys recommend leveraging the expertise that already sits within the company by communicating with the chief data officer and other IT executives to determine where the company might be at risk and how to educate employees on avoiding 401(k) phishing attempts, along with what to do in the case a hack occurs.
The second aspect is to communicate with the plan sponsor on security measures, says Karen Prange, chief compliance officer for the retirement business of Lockton, the world’s largest privately held insurance broker.
“The growth and explosion of cyberattacks is not specific to employee benefit plans,” Prange says. “Employers are becoming more sensitive to the risk and the fiduciary obligation to their plan participants to protect them. As a result, the providers are getting very sensitive to the dialogue and looking at their control environment and look at how they protect the data they hold.”
She says that while companies are generally focused on the logistics of using a TPA, they’re not paying as much attention to the behaviors of their employees; the recordkeeper will be the entity watching participants. Rather than maintaining those silos, Prange recommends that companies should partner with their providers to reinforce the message around 401(k) security.