Hole in the Bottle … Protecting Against 401(k) Cybersecurity Leakage
by Alex Smith
Both the Department of Labor (DOL) and plaintiffs’ lawyers have taken an interest in retirement plans’ cybersecurity in recent years. Last year, the DOL issued guidance on the cybersecurity considerations plan fiduciaries should be mindful of. In addition, cyber theft in recent years has led to multiple lawsuits. A specific recordkeeper involved in many of these lawsuits is currently being investigated by the DOL with respect to cybersecurity incidents that have impacted certain of its retirement plan clients.
In general, in each of the lawsuits, the thief impersonated the affected participant and was able to change the account’s credentials to access the participant’s account, changed the participant’s mailing address and bank account information, and obtained a distribution of the participant’s account. In some of these cases, the thief managed to intercept mail related to the account changes that was sent to the participant.
While there is not much plan fiduciaries can do if a participant is careless with his or her personal information or 401(k) plan account login credentials, plan fiduciaries can take steps to protect their plan from experiencing cybersecurity-related losses. For example:
- Ensuring that the recordkeeping agreement makes the recordkeeper financially responsible for thefts from participant accounts when the participant is not at fault.
- Ensuring that the recordkeeping agreement requires the recordkeeper to maintain appropriate cybersecurity protections and procedures.
- Requiring the recordkeeper to implement two-factor authentication as the default setting for account access (preferably as part of the recordkeeping services agreement).
- Requiring the recordkeeper to impose a delay on distributions from accounts for a period after the participant’s address and/or banking information has changed (preferably as part of the recordkeeping services agreement).
- Requiring the recordkeeper to notify the participant through the old contact information of any change to the participant’s contact or banking information (preferably as part of the recordkeeping services agreement).
- Requiring the recordkeeper to require the participant to provide a copy of his or her photo identification in order take a distribution (preferably as part of the recordkeeping services agreement).
- Scrutinizing recordkeepers’ cybersecurity processes and procedures during any recordkeeper search process.