The Coronavirus pandemic, without a doubt, has changed the way we do business. It has also created some unanticipated vulnerabilities. For instance, since the start of the “new normal,” there has been an increase of cyberattacks on retirement plans and participant accounts through unauthorized distributions. How did this happen? In March of 2020, Congress passed the CARES Act legislation that increased access to retirement funds for those affected by the COVID-19 pandemic. At the same time, many employees started to work from home, many on personal devices and in unsecure environments. The heightened level of plan distributions together with the security risks associated with electronic communications and working remotely, may have created the perfect storm for exposure of participants’ confidential and personal data to cybercriminals. Why would these sophisticated criminals target retirement plans? To quote the famous bank robber, Willie Sutton, when asked why he robbed banks, “because that’s where the money is.” With $6.7 trillion of total assets in 401(k) plans, it seems that Willie would agree that it’s where the money is.
Participant distributions have become a particular focus for fraudsters. Retirement accounts typically have higher balances than checking or savings accounts and they also tend to be less monitored by the participant. Participants are typically encouraged NOT to change their investment selections too frequently, so many only view their statements on a quarterly basis. Though cases of distribution fraud were detected by the FBI as early as 2017, the instances of attacks against retirement accounts have skyrocketed during the pandemic. Additionally, retirement plans tend to have many service providers, like TPAs, recordkeepers, and financial advisors. Some even contract with an outside trustee or trust company to facilitate participant distributions. So, in the unfortunate case that a data breach or fraudulent distribution occurs, who is the responsible party? The answer is not as clear as one might think given that ERISA, the main body of law governing retirement plans, was passed into law in 1976, long before the use of the internet or electronic processing. So, with so many parties involved, the courts have many times indicated shared liability between the plan sponsor and other service providers.
How can the chance of cyberattacks be mitigated?
Monitor the Plan’s service providers
Some plan sponsors believe that the hiring of external experts like trust companies and other fiduciaries will protect them in the case of fraud. Under ERISA, the employer/plan sponsor has the fiduciary duty to not only protect participant data but to also select and monitor plan service providers. Service providers, like recordkeepers and trust companies, say they are constantly upgrading their cybersecurity systems, but plan sponsors should be asking questions about their cyber policies as well as improvements to their systems. Mid Atlantic Trust Company, which provides trust and custody services to over 125,000 retirement plans, has taken steps to guard against distribution fraud in its paying agent services, a solution that can be used by recordkeepers, TPAs or even directly by the plan sponsor to process participant distributions. Michele Coletti, who serves as Mid Atlantic’s Chief Operating Officer, states that when processing distributions, “Mid Atlantic includes several layers of review at pre-set release levels determined by the clients, as well as confirming distributions against an industry-leading fraud prevention service.” Additionally, Mid Atlantic looks for distribution red flags in its processes, such as transfers to newly opened bank accounts or funds being transferred to accounts where the registrations don’t match.
Transmit all plan data securely
Although it may take a few more clicks and the creation of another password protected account, plan sponsors and participants should always use a secure portal or encrypted email to send personally identifiable information (PII). That means not using company or personal email to send census information, distribution forms or other communications containing PII in an unsecure fashion.
Learn, learn, learn
Like most things involving cybersecurity, education is key. Educating staff members and participants about phishing emails and click bait schemes that are used to trick the recipient into revealing personal information is a highly effective way to stop fraud. Fraudsters use catchy subject lines like “Approve Changes to your 401(k) Account” or “Click here to update your information” to get participants to reveal information to them. This type of education isn’t once and done but should be repeated on at least an annual basis and as part of employee orientation.
Establish online access
Though it may sound counter intuitive, encourage all participants to set up their online account access and check them regularly even if they prefer to receive paper statements. Unclaimed online accounts are easier for hackers to access and take control. Participants should also choose strong passwords and set up multifactor authentication (MFA) which sends codes to multiple devices to verify the account holder’s identity. Avoiding the use of public Wi-Fi to access retirement accounts greatly decreases the potential of being hacked.
Good policies and procedures go a long way
It’s important to note that not all fraud will be electronic. There are reported cases where fraudsters have used fax, phone and even paper documents by mail to perpetrate distribution fraud. Plan sponsors should follow strict procedures, and ensure that their service providers do as well, to reduce the chance of a fraudulent withdrawal from a participant’s account.
Will retirement accounts ever be 100% secure? Though we may wish so, account theft will continue to evolve as fraudsters find ways of mining personal information whether it be from social media sites, like LinkedIn and Facebook, or by hacking email accounts or passwords. Maintaining good administrative practices as a participant or plan sponsor and selecting service providers who remain vigilant in upgrading their cyber security systems will be key to protecting plan data and assets from cyberattacks.
This newsletter is intended to provide general information on matters of interest in the area of qualified retirement plans and is distributed with the understanding that the publisher and distributor are not rendering legal, tax or other professional advice. Readers should not act or rely on any information in this newsletter without first seeking the advice of an independent tax advisor such as an attorney or CPA.
©2021 Benefit Insights, Inc. All rights reserved.