Cybertheft and Retirement Plan Assets
If news headlines about cyber-attacks and data breaches have not yet frightened you to examine and bolster the security measures protecting your retirement plan assets, what kind of an epiphany are you waiting for?
See 21 Terrifying Cyber Crime Statistics. The current magnitude and frequency of cyber-crime is alarming, but the projected growth is staggering. When asked why he robbed banks, notorious robber Willie Sutton replied, “that’s where the money is.”
As of December 31, 2018, 401(k) plans held an estimated $5.2 trillion in assets of the $27.1 trillion in US retirement assets, which includes employer-sponsored retirement plans (both defined benefit and defined contribution plans sponsored by both private and public-sector employers), individual retirement accounts (IRAs), and annuities. Retirement plan assets are a very rich target for cyber criminals.
When it comes to your company’s retirement plan assets, have you as the employer plan sponsor:
- Included the retirement plan as part of your business cybersecurity plan?
- Reviewed the security measures of the custodian of the plan assets and the third party administrator?
- Examined potential weaknesses, in particular with respect to the risks associated with a fraudulent distribution?
Threats that you may not perceive as real to your business, are very likely only clicks away from retirement assets. As the plan sponsor, the employer is a fiduciary and has the duty to act with prudence and diligence and to monitor service providers.
The failure to examine the security measures protecting plan assets, the failure to investigate the security measures of the custodian and third party administrator, the failure to adopt and apply reasonable security protocols and/or the failure to reasonably invest in appropriate hardware and software could all result in a breach of fiduciary duty and employer liability for plan assets fraudulently diverted to bad actors.
There is no foolproof procedure to safeguard retirement plan assets. However, a similar basket of security measures to those applied to your business should be implemented. These include:
- The policies and procedures regarding the application for distributions from the plan should be reviewed. If the process is completely digital, what authentication factors are required to confirm the identity of the party receiving the distribution?
- What is the process by which the employer approves a requested distribution? Does the employer confirm the distribution request with the participant?
- Is personal identifying information that can create user identification for plan access protected?
- Are passwords changed with reasonable frequency? Are the employee participants advised as to the strength or weakness of passwords?
- For most plans, there is no reason to make a direct rollover to a bank or financial institution outside of the United States.
- If the distribution is not a direct rollover to a U.S. bank or financial institution, is there a need for the electronic transfer of funds vs. the custodian issuing a check to the participant? Because retirement plan assets have become such a significant component of employees’ wealth (average 401(k) balance at the end of 2018 was $103,000), the security associated with a delay in the distribution process to confirm the authenticity of the request and the participant’s account outweighs any inconvenience and the corresponding risk associated with an unverified but speedy digital process.
If you are still not convinced that you should examine your retirement plan’s security measures, do an internet search for malware, phishing, spoofing, account takeover and then let’s ask again: what kind of an epiphany are you waiting for?
Legal Advice Disclaimer: The content of this website is provided for general information purposes only. It should not be used as a substitute for consulting an attorney for legal advice regarding the reader's own affairs. Knox McLaughlin Gornall & Sennett, P.C. is not responsible for the content provided on any third-party website which may be accessed via links provided by this site.