Cybercriminals and company 401(k) plans: 8 simple steps to guard against cyberattack

by Crystal A. Skotedis

Six months. That’s how much time passes before most cyberattacks are detected.

Six weeks. That’s the time spent recovering from those attacks.

Suddenly, a shadowy criminal consumes nearly eight months in the life of your business. If you have employee 401(k) plans, your business faces an even higher risk from hackers looking to get a combination of ready cash and sensitive information in one alluring package.

The costs of remediation and recompense – as well as to your business’ reputation — far outweigh the dollars you could have spent on prevention.

Foreign hackers increasingly target American 401(k) assets, which now total more than $5 trillion. Since 2013, more than 3.8 million records have been stolen daily. Retirement plans are particularly juicy targets because they exist almost entirely in an electronic environment, with copious sensitive information passing among multiple third parties.

As you consider whether to beef up cybersecurity, consider:

• Your company is responsible for oversight: Chances are, you’ve dispersed the various tasks of retirement-plan management to a host of qualified third-party administrators. Your trusted asset custodians, administrators, investment advisors, auditors, or outside trustees are on the job. However, in the case of a cyberattack, they are not responsible for the repercussions. You are. The law and court cases are straightforward. Your company bears full responsibility for all actions of the parties you hire.
• Your insurance doesn’t guarantee blanket protection: Insurance is crucial to protect against financial losses, but if your company or employees open the door to a security breach, the provider can limit the payout.

8 steps to tighten your company’s cybersecurity

Every company needs a retirement-assets data security plan that has two primary purposes – protect the sensitive employee data entrusted to you, and protect all retirement-plan savings placed in your care.

You’ll probably need to contract a cybersecurity professional to customize your data security plan, but the investment is worth it. Before hiring a cyber professional, ask for recommendations, conduct interviews, and secure an agreement or engagement letter that details the terms of each service provided.

Additionally, you’ll want to review your cyber liability insurance. Keep in mind that some plans will not honor, or only partially honor claims, if an employee was partially to blame, such as getting tricked into providing sensitive material. It also makes sense to have an independent review of your insurance from an expert who can examine your vulnerabilities in all areas including cyber, and recommend the type and level of coverage you need. 

In the meantime, take these simple but effective steps now:

1. Ensure that all internet-accessible computer systems storing employee data have adequate security measures, including proper encryption, firewalls, or authentication protocols.
2. Routinely train your personnel and raise their awareness of phishing attempts and other tactics cybercriminals employ to crack your system. The weakest link in any cybersecurity system is your employees. Outsourcing the training can be a cost-effective strategy for finding repeat offenders, breaking bad habits, and, if necessary, limiting their access to sensitive online systems and records.
3. Protect the login. Utilize strong passwords and two-factor authentication systems. Don’t use the same login ID or password for multiple sites. Never allow a browser to store login information, and don’t share it, either.
4. Identify plan participants who haven’t established logins to their retirement accounts online, and strongly encourage them to do so. The first victims are always those who haven’t created an account, because cybercriminals make up their own online IDs and passwords. Often, breaches go undetected for months.
5. Share information only through secure portals with your service providers, employees, participants, and beneficiaries. Never transmit sensitive information via email.
6. Ask your service providers annually about their security measures. Understand their systems, processes, and protocols. Ask if breaches have occurred and request copies of their security audits.
7. Regularly monitor participants’ activity to check for suspicious activity, and ask them to monitor their accounts as well. Many of us have been taught to think of 401(k)’s as “set it and forget it” roads to retirement, and cybercriminals take advantage of the opportunity to slip in undetected. Regular check-ins can unmask potential irregularities.
8. Understand your cyber insurance coverage. Address any apparent gaps in the policies, and adopt internal controls to guard against missteps that could be used to minimize or even deny your claim.

With a cybersecurity mindset in place, your company and employees can feel more confident that retirement funds are safe. Contact the professional CPAs of Boyer & Ritter for highly qualified team members ready to administer and guard your 401(k) plans with fidelity and assurance.

Crystal A. Skotedis, CPA, CFE, is a principal at Boyer & Ritter LLC, where she is co-chair of the firm’s Employee Benefit Plan Services Group and is knowledgeable on all standards and requirements under Employee Retirement Income Security Act and U.S. Department of Labor regulations. She also provides audit, accounting, tax and consulting services for a variety of clients and industry groups. Contact Crystal at 717-761-7210 or cskotedis@cpabr.com.