Author: Paul A. Carl, CHSA, CPFA™ Vice President, Retirement Plan Consulting, Registered Representative
Imagine checking your 401(k) plan account expecting to see a balance of several hundreds of thousands of dollars only to find out that your balance stands at $0. A quick check of your transaction history shows a total distribution that you never requested has taken place. What would you do? If you’re Paula Disberry, you file a lawsuit in U.S. District Court, Southern District of New York, against your retirement plan committee, the 401(k) plan recordkeeper, and the plan’s custodian (search Case No. 22-CV-5778 for more detail).
When the Employee Retirement Income Security Act was adopted in 1974, any utterance of “cybersecurity” most likely would have sounded like something out of science fiction. Today, it's big business and extremely important. Marketing research firm, BrandEssence, estimates the global cybersecurity industry will reach $403 billion by 2027, as reported on July 22, 2022 by Fortune.com. In Spring 2021, the U.S. Department of Labor, EBSA published “Tips for Hiring a Service Provider with Strong Cybersecurity Practices.”
At the participant level, cybersecurity risks include loss of plan assets and acquisition of personally identifiable information (“PII”). PII is your sensitive data such as your Social Security Number, driver’s license or state identification number, financial account and credit card numbers, and medical information. For the plan sponsor as well as plan service providers, risks encompass regulatory fines and expensive remediation, litigation, costs associated with data recovery and system restores, as well as claims under local and state laws, not to mention reputational risk.
Several best practices for plan participants include:
- Establish multi-factor authentication
- Use a strong password and never share that password
- Verify the correctness of your PII
- Monitor your account on a regular basis
- Be on guard for fake emails and texts that look real
As for plan sponsors and service providers, who may or may not be acting in some type of fiduciary capacity, establish cybersecurity policy and procedures incorporating the aforementioned DOL Tips. Train staff on cybersecurity, document, and revisit periodically. The DOL has initiated cybersecurity reviews. Plan sponsors have reported receiving a DOL letter specifically addressing their plan’s cybersecurity practices for the previous three years.
Do your plan service providers and fiduciaries have cybersecurity insurance?
HORAN Capital Advisors, LLC is an SEC registered investment advisor. The information herein has been obtained from sources believed to be reliable but we cannot assure its accuracy or completeness. Neither the information nor any opinion expressed constitutes a solicitation for the purchase or sale of any security. Any reference to past performance is not to be implied or construed as a guarantee of future results. Market conditions can vary widely over time and there is always the potential of losing money when investing in securities. HCA and its affiliates do not provide tax, legal or accounting advice. This material has been prepared for informational purposes only and is not intended to provide and should not be relied on for tax, legal or accounting advice. You should consult your own tax, legal and accounting advisors before engaging in any transaction.