Many Americans know to delete a money wire email request from a Nigerian
prince, but they might grant access to their 401(k) plan if they receive an
alert from their plan sponsor — or so they thought.
The U.S. retirement model, which the Investment
Company Institute valued at $5.3 trillion in 401(k) plan assets alone,
has become of increasing interest to foreign hackers, typically the
perpetrators of large-scale data breaches. However, companies, plan sponsors
and plan participants are unaware or underprepared for the ramifications of a
cyberattack, experts warn.
One problem: The current system focuses on who is liable — the plan
sponsor or plan participant — in the case of a hack, rather than educating
employees on the risks they bring to their own retirement savings.
“If a third party administrator’s system is breached because they don’t
have good enough security in place, they need to put the money back. If the
breach comes from the plan sponsor, they need to put the money back,” says Sam
Krause, a Los Angeles-based counsel at law firm Crowell & Moring’s
corporate, healthcare, tax, and labor and employment group. “They’re not
looking at it as a fiduciary duty to protect those assets. It’s glaringly
absent in these contracts: What happens when it is the plan participant’s
fault?”
Krause and David McFarlane, a partner at the same firm, say that the
courts will look to the plan sponsors and see if they fulfilled their fiduciary
responsibilities under ERISA, and whether they took reasonable action to
prevent phishing attempts. Even if the plan participants are not liable, they
will see investment losses due to shortened time that the money can grow to its
full potential. For retired workers, the effects of a cyberattack would be
detrimental, the attorneys say.
“It would be a real catastrophe if people fell prey to these types of
attacks,” Krause says. “These are not people who are drawing a paycheck
regularly.”
Although 401(k) plan providers use robust — albeit standard, security
measures — there are very few safe guards participants can implement, like an
employee-enabled block on withdrawals for accounts less than 10 years old.
“Somebody should be able to say, ‘Unless I go through certain steps,
money should not be taken out,’” Krause says.
The Securities
and Exchange Commission recommends that plan participants pick strong
passwords and change them regularly, add biometric screenings and two-factor
authentications, use caution with Wi-Fi connections and public computers, and
opt-in for account alerts. Those suggestions won’t help employees, however, if
they think an alert about 401(k) misuse is coming from the plan sponsor instead
of a hacker.
“We see a level of security in our practice, because we’re lawyers, that
we don’t see in my 401(k),” Krause says.
Companies need to take a two-pronged approach in helping employees
protect their assets.
The first is creating a written plan to address cybersecurity and
thinking of the matter as technological, not just legal, the Crowell &
Moring attorneys say.
“We do have clients that have come to us with this issue,” McFarlane
says. “One of the things we are advising and helping our clients
with is a response plan. How do you notify employees [in a timely manner]?”
The attorneys recommend leveraging the expertise that already sits
within the company by communicating with the chief data officer and other IT
executives to determine where the company might be at risk and how to educate
employees on avoiding 401(k) phishing attempts, along with what to do in the
case a hack occurs.
The second aspect is to communicate with the plan sponsor on security
measures, says Karen Prange, chief compliance officer for the retirement
business of Lockton, the world’s largest privately held insurance broker.
“The growth and explosion of cyberattacks is not specific to employee
benefit plans,” Prange says. “Employers are becoming more sensitive to the risk
and the fiduciary obligation to their plan participants to protect them. As a
result, the providers are getting very sensitive to the dialogue and looking at
their control environment and look at how they protect the data they hold.”
She says that while companies are generally focused on the logistics of
using a TPA, they’re not paying as much attention to the behaviors of their
employees; the recordkeeper will be the entity watching participants. Rather
than maintaining those silos, Prange recommends that companies should partner
with their providers to reinforce the message around 401(k) security.
Click
here for the original article from Benefit News.