401(k) plans not only contain significant financial assets but also retain participants' personal information. This can make the plan vulnerable to cybercriminals.
In addition, data from 401(k) plans may be shared with third-party service providers. As noted in a Society for Human Resource Management article, "There is a growing trend of using participant data to cross-sell financial products unrelated to plan recordkeeping by large recordkeepers and asset custodians of employer-sponsored retirement plans."
There's also the troubling possibility of theft by the actual plan sponsor. This includes employers that use participants' 401(k) contributions to cover their own personal or business expenses.
It's important to be aware of potential abuses in your 401(k) plan and to protect it against these abuses.
Protection against 401(k) cyber crimes
As a starting point, you can refer to the U.S. Department of Labor's best practices for Employee Retirement Income Security Act-covered plans, which include 401(k) plans.
The DOL's recommendations include the following:
- Develop a formal, documented cybersecurity program.
- Perform annual risk assessments.
- Have a credible third party audit the plan's internal controls.
- Assign information security roles and responsibilities to the appropriate people.
- Establish clear rules on who does what regarding the plan.
- Make sure 401(k) information that is stored on the internet or managed by third parties consistently undergoes security reviews and assessments.
- Provide employees with cybersecurity awareness training.
- Maintain a business resiliency program that addresses incident response, disaster recovery and business continuity measures.
- Respond effectively to cybersecurity incidents.
Protection against 401(k) data sharing by service providers
Employers are responsible for the management of their 401(k) plan. So if the plan is mismanaged by a third-party provider, the employer might face legal scrutiny.
As mentioned, an increasing area of concern involves 401(k) service providers using participant data to cross-sell and market their own unrelated products, such as life insurance or high-interest credit cards.
Per Bloomberg Law, this has led to several employee lawsuits contending that "their employers are breaching a fiduciary duty to avoid conflict-of-interest transactions."
Note that there's no settled law regarding utilizing plan data for solicitation purposes. However, the SHRM article says based on new state laws and DOL actions, "this is an area of growing concern at both the state and federal levels."
To avoid employee complaints and lawsuits, it may be best for employers to limit their service providers' use of 401(k) data. This can be addressed in the plan service agreement.
Protection against theft by plan sponsors
It may boggle the mind that an employer would offer a 401(k) plan only to turn around and steal employees' contributions. However, this happens more often than you might think, and many employers have faced criminal prosecution as a result.
The bottom line is: Never use participants' 401(k) contributions for your own purposes. Not only is it a crime, but it also robs participants of their hard-earned 401(k) savings. Remember also that this is just a summary. To be sure you are not even inadvertently violating any rules, work closely with legal professionals.