News of commercial database hackings may seem commonplace in 2019. But while many of these stories focus on hacked bank and credit card accounts, 401(k) plan sponsors and participants probably don’t realize that their plan assets also are at risk.
Employers who offer 401(k) plans to their employees need to take precautions against identity theft. Part of this is educating participants.
Role of sponsors
If your organization sponsors a 401(k) plan, it’s essential that you assess plan service providers’ protection systems and policies. Most providers carry cyberfraud insurance that they extend to plan participants. But there may be limits to this protection if, for example, the provider determines that you (the sponsor) or employees (participants) opened the door to a security breach.
Your plan’s documents may say that participants must adopt the provider’s recommended security practices. These could include checking account information “frequently” and reviewing correspondence from the administrator “promptly.” Make sure you and your employees understand what these terms mean — and follow them.
What participants can do
Traditionally, 401(k) plan participants have been discouraged from worrying about short-term fluctuations and volatility in their accounts, and instead encouraged to focus on the long run. However, lack of regular monitoring can make these accounts vulnerable. Instruct employees to periodically check their account balances and look for signs of unauthorized activity.
Employees also should take the same steps they follow to protect other online accounts. For example:
- Use strong passwords and change them regularly.
- Take advantage of two-factor authentication.
- Don’t use the same login ID and passwords for multiple sites.
- Don’t allow a browser to store login information.
- Never share login information.
Such precautions can foil some of the most common retirement plan thieves — relatives and friends — from using their knowledge to gain account access. In one real-life case, a plan participant divorced his wife and moved out of the house. However, he didn’t update his address with his plan provider, change his password or review his balance regularly. His ex-wife cleaned out his more than $40,000 balance.
A few clicks
Without adequate vigilance, anybody can be a few clicks away from cleaning out your employees’ 401(k) accounts. Review your plan documents carefully and educate participants about their responsibilities for monitoring their accounts. Contact Ashley Lee, CPA, CFE at firstname.lastname@example.org for more information on identity theft and our risk management services. Contact Jake Kriegler, CPA at email@example.com for information on our 401(k) audit services.