Cybersecurity, a Different Type of 401(k) Risk Assessment

In an increasingly digital world, retirement savings and pensions are becoming a bigger target for cybercrime every day.

When you think of 401(k)s what do you think of? Money, retirement, investments, savings, complex decisions, risk assessment, the stock market, and company matching may come to mind. What may not be on your word association top ten list is cybersecurity…but it should be. In an increasingly digital world, retirement savings and pensions are becoming a bigger target for cybercrime every day. It’s easy to understand why; Plan Adviser notes that, “as of 2018, the EBSA estimates that there are 34 million defined benefit (DB) plan participants in private pension plans and 106 million defined contribution (DC) plan participants with combined assets of $9.3 trillion.”[1]

The Verizon 2021 Data Breach Investigations Report found that organized crime is responsible for approximately 80% of financially motivated attacks.[2] However, they also note that “‘doing the basics’ will help against the vast majority of the problem space that is most likely to affect your organization.” Phishing (~40%), hacking (~20%), and ransomware (~10%) round out the top three types of breaches. When it comes to phishing and scams, there are many ways that scammers may target employees specifically, and education is an essential part of any enterprise risk management strategy.

In addition to informational training, some companies run internal white hat phishing tests, in a kind of phishing version of Inception: the emails are meant to look almost like regular emails, but have key details that are slightly off, in ways that are common to scam messages. For example, the sender’s email may have their name as “Company Name Human Resources” but their actual email address doesn’t match, or if an email says “click here to sign up for our internal benefits webinar”, when hovered over, the link leads to an entirely different and very suspicious page. Others may appear to be external emails, like “you’ve received an e-card, click here to view!” or even “your account has been hacked, click here to reset your password!” If this were real, once a sense of urgency has been created, the user may unwittingly provide a scammer their username and current password, allowing them account access. Like its hacking counterpart, white hat phishing can help train employees in how to spot a real phishing email, and provide metrics on who is failing (and in what ways) so the company can provide susceptible employees with opportunities for additional training and learning.

As in the example above, in terms of stolen credentials, passwords can bring employee’s (and sponsors’) entire house of cards down because so many users reuse passwords for multiple sites and infrequently, if ever, change them. Every site wants every user to have a unique password for their website, and if your employees are like the rest of us, they absolutely don’t do this. We’re all guilty of reusing passwords. They’re complicated! We all use so many sites! They require a capital letter, a special character, 300 characters, your firstborn child, and the Pope’s personal blessing. But if there’s anything that deserves its own unique, special, regularly changed password, it’s their financial future. It’s one thing if their Facebook account gets hacked and they post nothing but obviously fake links to suspicious content; it’s another thing entirely if a malicious entity has access to their life’s savings.

In the first move of its kind, the Employee Benefits Security Administration (EBSA) of the US Department of Labor has issued cybersecurity guidelines for plan sponsors including online security tips for retirement account holders, a detailed list of cybersecurity best practices, and tips for hiring service providers to ensure their cybersecurity practices are ironclad.[3][4][5] Much of the contents are fairly run of the mill ERM components, but ensuring your risk management plan checks off these boxes will ensure that confidential data stays as secure as possible and risk is minimized. The Employee Retirement Income Security Act (ERISA) holds 401(k) plan fiduciaries to strict standards regarding personally identifiable information (PII), and while many plan sponsors outsource recordkeeping security, they are still obligated to ensure the recordkeepers have adequate security and can be liable if they fail to maintain adequate data defenses. Reviewing company risk management policies, ensuring protections meet EBSA standards, and thoroughly educating employees are key elements to ensuring that your organization doesn’t fall victim to digital threats.

[1] https://www.planadviser.com/dol-issues-cybersecurity-guidance

[2] https://www.verizon.com/dbir

[3] https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/online-security-tips.pdf

[4] https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/best-practices.pdf

[5] https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/tips-for-hiring-a-service-provider-with-strong-security-practices.pdf


These articles are prepared for general purposes and are not intended to provide advice or encourage specific behavior. Before taking any action, Advisors and Plan Sponsors should consult with their compliance, finance and legal teams.

Back to Blog

Latest Entries

Need a Proposal?

Before leaping into the unknown, we recommend a thorough examination of your plan. Because we are experts in the field, we know the marketplace and know what your existing vendor is capable of offering.  Through this examination, we can help you optimize the service you receive.

get xpress proposal