Cybersecurity Best Practices for 401k Plan ParticipantsJanuary 02, 2020
Preventing 401(k) fraud requires ongoing vigilance. Here’s an overview of how employers can protect against breaches.
Retirement plan participants have become a major target for data breaches. It’s no wonder, due to the large sums of money and sensitive personal information within 401(k) plan accounts. Retirement plans are frequently excluded from an organization’s cybersecurity arrangement and there are virtually no cybersecurity regulations for retirement plans. So, what can plan sponsors and plan participants do to prevent this? Here we outline some best practices.
Government Oversight-Or Lack Thereof
The U.S is lacking a wide-ranging federal statute concerning retirement plan cybersecurity requirements. The current legislature, the Employee Retirement Income Security Act of 1974 (ERISA), fails to mention information safety in regard to electronic records. Furthermore, a consensus has not been reached on whether sensitive plan information is considered a “plan asset” under the fiduciary criterions of ERISA.
- ERISA requires those with discretionary control over plan assets, administrative power, or those who provide investment advisory services to have fiduciary responsibilities.
- Fiduciaries must act exclusively in the absolute best interest of the participants and beneficiaries. Neglecting cyber threats could possibly violate this obligation.
- Regardless, fiduciaries should be considering the threats on retirement plans, and beginning to implement protection of plan assets and data while continuously analyzing technological changes.
The Plan Participant-Best Practices
While plan administrators, employers, and fiduciaries retain a massive amount of responsibility in terms of retirement plans, plan participants also hold a great deal of responsibility. Establishing online access is the first step towards increasing security, as a hacker could establish it first. Here are some critical, yet simple ways participants can further protect plan data and assets:
- Create a complex password. Strong, complicated passwords, with upwards of 10 characters containing numbers, symbols, and upper and lower case letters are the most effective. Creating passwords that are not words you can find in a dictionary are the most successful. Also, frequently changing passwords is a best practice.
- Establish alternate security questions
- Use multi-factor authentication (MFA)
- Regularly monitor account. Be aware of any changes to personal information or asset balances, and ensure you receive notifications when changes to your account are made.
- Prohibit access: never allow family or friends access to account. Sharing access to personal accounts is highly discouraged. If you do have to share this information, never exchange it via email or text.
- Be aware of phishing schemes. Never click attachments or links in suspicious emails.
- Secure Wi-Fi Networks: Avoid logging into account in untrusted locations with unsecure Wi-Fi. Not all Wi-Fi networks are safe. While retirement accounts should be monitored regularly, monitoring should only occur in trusted settings.
Check out our recent whitepaper, OWN IT, SECURE IT, PROTECT IT: 2019 Cybersecurity Update for more tips.
With the increased vulnerability of retirement accounts due to the sensitive personal information and large quantities of money, plan participants have a responsibility to be vigilant and committed to the protection of their accounts. Proper account safeguards such as strong passwords, regular monitoring, and an overall understanding of participant best practices will increase the safety of retirement accounts.
Questions? Contact our Information Security Services team.