I’ve often had this dark thought: Can 401(k) plans be hacked and money stolen from them?
I know. That’s a really horrible premise. But if 7,000 companies could be compromised by the NotPetya malware while big companies like Equifax, Target and Yahoo experienced breaches of hundreds of millions of accounts, then what makes us believe that cybercrooks aren’t going after retirement funds?
I’m not ahead of the curve on this. Cyberthieves are likely targeting retirement funds because that’s where the money is. According a recent survey by Fidelity, their individual 401(k) and IRA accounts balances averaged just over $100,000.
Out of the $28 trillion in U.S. retirement assets, some $5 trillion is in 401(k) plans, according to the Investment Company Institute, a mutual fund trade group. That’s a target as big as Montana.
Are employers doing enough to protect this epic pile of money? While that’s hard to answer, a recent report by the investment consultant Callan Associates, notes:
“While hacking is nothing new, the pace of large-scale cyberattacks has accelerated significantly in recent years, most
notably the Equifax hack, which exposed the private information of a majority of Americans.
More worrisome for many plan sponsors [employers], the focus of cyberattacks in the defined contribution (401k) world has shifted from hardened targets like recordkeepers and custodians to plan sponsors, which often lack the extensive cybersecurity defenses of their vendors.”
In plain English, that means you need to be asking some pointed questions of your 401(k) administrator. You need to know what kind of cybersecurity measures are protecting your retirement kitty. This is what Callan suggests:
— What is their internal risk? Where does their data go and how is it transmitted and stored (e.g., to third parties, or maintained on a server or in the cloud)?
— Has your employer conducted appropriate due diligence on their vendors, and the partners that those vendors may share data with?
— How does the organization define a “breach”? How do their vendors define a “breach,” and what triggers disclosure?
— How does your employer or middlemen monitor their internal processes and procedures and their external partners on an ongoing basis? What is their process for when they experience a breach?
Most importantly, find out if your employer has cyberinsurance that would cover a breach or hacking incident. Would losses be covered? Have they erected sufficient cybersecurity defenses? These are all things you need to know.