It is the fiduciary duty of the plan sponsor to ensure the safety of participants’ funds, which includes protecting those funds from cybercriminals and fraudsters. Cybercrime tactics have evolved aggressively in recent years and, with the arrival of A.I. technology, these methods have become even more difficult to identify and defend against. Ignorance of security vulnerabilities in your plan is no excuse if the worst-case scenario occurs and plan participants have funds stolen from them.
In the latest episode of the 401(k) Audit CPA Success Show podcast, Director and 401(k) Audit Practice Leader Kim Moore and Audit and Assurance Manager Karen Hill share the latest insights on cyber-fraud schemes and preventative strategies you and your team can use to follow best practices.
Key Takeaways
- Even if the plan is operated by a third-party service, such as Fidelity or John Hancock, the Plan Sponsor is still responsible to ensure all plan transactions are process accurately and represent transactions requested by the participant
- Emerging A.I. technology has increased the level of sophistication for cybercriminal attacks, introducing new ways to commit fraud
- The Department of Labor has pushed companies to take on a more proactive role when it comes to protecting participant funds from cybercrime activity
- Commit to performing a risk assessment at least annually and document it thoroughly as proof of your good faith effort to uncover potential security weaknesses
- Review distributions prior to processing to ensure they are legitimate requests to prevent fraudulent activity
- ERISA bonds can’t be used to cover a situation where a plan participant loses funds due to fraud, they cover a different type of risk
Cybersecurity Threats Target 401(k) Plans with Sophisticated Tactics
In order to get away with their crimes, a fraudster just has to be lucky once. Even if it takes a hacker 500 attempts, a single success is all it takes to clean out a participant’s account of all the funds they accumulated. As technology advances, cybercriminals use new tools like Artificial Intelligence to create new traps and tricks to gain unauthorized access to sensitive systems.
One of the latest cybercriminal tactics involves using an A.I. program to mimic a recording of a participant’s voice. The program can then be used to communicate with the plan’s service provider, posing as the participant, to request a distribution or otherwise change the account information in a way that prevents the actual participant from accessing their funds. Information can also be stolen and potentially sold off to commit further acts of fraud. Cybercriminals may also use information available via social media to guess passwords and answers to security questions.
Plan Sponsor, Plan Trustee Responsible for Replacing Stolen Funds and More
If a criminal is able to gain unauthorized access to an account and steals funds from a participant, the company would be liable to make that individual whole. If a participant had $50,000 in their account and the full amount was taken, the company would be responsible for replacing the $50,000 and the lost earnings that couldn’t accumulate in the participant’s account due to the fraud. These earnings lost because the breach wasn’t yet discovered must be paid back since, if those funds had remained invested, they would likely have increased. That $50,000 can quickly become $75,000.
Plan participants who have undergone similar circumstances have taken their company to court, arguing that their 401(k) plan should have had stronger controls to prevent it from occurring, and most of these cases have been successful in court. The Department of Labor has also taken a special interest in reducing the number of participants affected by cybercrime activity and has pushed for companies to take a more active role in keeping their participants’ accounts secure.
The Department of Labor Urges Stronger Protections for 401(k) Plans
One of the DOL’s functions is to protect employee benefits sponsored by employers including 401(k) plan accounts. For this reason, the DOL has taken an interest in the controls surrounding retirement accounts to help prevent losses due to cybersecurity issues. The DOL is encouraging employers to develop a preemptive plan to prevent and detect cyberattacks.
Now when the Department of Labor comes to your business, either to complete an audit, look into late contributions or responding to a complaint, the representative may ask about the policies and procedures your company has in place to protect employees’ accounts from cybercriminals. Failure to have a plan may result in a fine and additional visits from the department.
Preventative Rather Than Reactive Response
As the plan sponsor, there are tools at your disposal that can help prevent cybercriminals from accessing your plan’s accounts while also providing you with the opportunity to gather proof of your good faith efforts to identify and correct potential security vulnerabilities. At least annually, perform a risk assessment with the people who work with the plan for a few hours. This can include HR workers, payroll staff or even a member or two from the finance department.
Ask yourselves questions in order to better get into the fraudster’s frame of mind with the intention of discovering previously unnoticed holes in your security system. Document everything you find and the solutions you come up with. Keeping careful records of your attempts to strengthen your cybersecurity will be a good indication that you have put in the effort to keep your participants’ funds safe from harm.
Whenever a distribution is requested, what is your company’s internal control policy? Is the distribution approved right away, without anyone speaking to the participant and asking them if they made the request? If that’s how your plan is handled, it may be time to consider inserting new controls to ensure the participant was truly the one who requested the distribution rather than a criminal hoping to score an easy win. Implementing some zero-trust cybersecurity strategies, when applicable, can help prevent data breaches before they begin.
Speak with Your Service Provider about Their Policy
If you work with a service provider, reach out to them to ask if they’ve recently had a breach and, if you don’t already know, ask them about their policy in the case a breach does occur. What steps would they take after the breach? Be sure to also ask about when and how they would notify you in case of a breach. It’s very important to inquire about their preferred method of communication in the event of a security breach to ensure there’s no opportunity for a criminal to impersonate your service provider and trick you into giving away personal information. Keep your participants’ assets protected and keep adjusting the plan to make sure you’re accommodating new schemes in addition to the old, familiar ones.
Anders Technology Group works with companies to implement and improve cybersecurity strategies to keep your data secure. Learn more about our services, as well as the associated fees, by contacting Anders Technology.
If you need an audit for your 401(k) plan, learn more about our 6-phase 401(k) audit process or request a free 401(k) audit consultation below.
Watch the 401(k) Audit CPA Success Show: Is Your 401(k) Plan Protected from Cyber Threats? on YouTube and subscribe on Spotify or Apple Podcasts and let us know what you think by rating and reviewing.