Cybersecurity Must Be a Priority for Plan Fiduciaries

Most 401(k) plans have access to a large pool of funds, making them an attractive target for cybertheft. And while stolen funds are devastating, unauthorized transactions aren’t the only goal of cybercriminals. 401(k) accounts contain a plethora of sensitive personal information that can entice hackers interested in perpetrating identity theft and other forms of fraud. Because of these risks, it’s important for fiduciaries to understand cybersecurity and to follow established safety protocols aimed at keeping their plans secure.

Growing Risks for Plans

According to a 2022 survey by Callan, cybersecurity is a top concern for plan sponsors, and nearly a third of sponsors polled stated that they intended to review and audit their plans’ security practices. Their concerns aren’t unfounded. While the exact number of cyberattacks on 401(k) plans is unknown, successful breaches can be highly damaging. For example, one lawsuit alleged that more than $245,000 was stolen from a retirement account over a two-month period.

Multiple Avenues of Attack

Most people know not to share passwords or use public computers to check sensitive information. But even if participants and fiduciaries follow these basic protocols, they might still be at risk. One of the most common forms of cyberattack is phishing, where a cybercriminal sends a fake message that resembles official correspondence and baits the recipient to enter their personal information. But in addition to phishing, hackers could target the plan’s hosting servers directly to gain access.

Some of the concerns about cybersecurity are around the plan assets themselves. As more plans begin to offer cryptocurrency options, some experts worry that this could make 401(k) accounts even more vulnerable – in fact, a 2021 study showed that cyberattacks on cryptocurrency were among the top three types of crime reported to the FBI.

DOL Guidance

The Department of Labor (DOL) has issued guidance for plan fiduciaries that outlines their responsibility to ensure their plans are safe and provides best practices for cybersecurity. The DOL clarifies that ensuring cybersecurity is part of a fiduciary’s duty to protect plan participants, and many of the techniques that they recommend involve regular security checks and procedural clarity. The department states that plans should have a clearly outlined security procedure and access protocols to ensure that no one can access plans except participants and fiduciaries. They also recommend strong and up-to-date data encryption, regular security training and audits and strict vetting for service providers.

By adopting the DOL’s recommended practices, fiduciaries can provide an extra level of safety and security for plan participants. Sponsors should have processes in place to address breach notifications, system restoration and the evaluation of service providers with cybersecurity in mind. Just as risk is inherent in markets, it will always be present in the online management and administration of retirement plans. It’s therefore incumbent upon plan sponsors to adopt prudent processes to detect and deter breaches as well as mitigate damage resulting from cyberattacks.


This article was originally published in the October 2022 Retirement Times newsletter. To read more, download the newsletter here.

This newsletter is distributed for general informational purposes only. No part of this newsletter nor the links contained therein is a solicitation or offer to sell investment advisory services. Information throughout this newsletter is obtained from sources which we believe reliable, but we do not warrant or guarantee the timeliness, accuracy or completeness of this information and the information presented should not be relied upon as such. All investments involve risk of loss, including the possible loss of all amounts invested, and nothing within this newsletter should be construed as a guarantee of any specific outcome or profit. This newsletter is confidential and is intended solely for the information of the person to whom it was delivered and may not be reproduced or redistributed in whole or in part, nor may its contents be disclosed to any other person under any circumstances.