Concerned about cybersecurity? Here’s how to protect 401(k) plans

All companies that manage personal consumer data are already concerned — or should be concerned — about cybersecurity. The scope and scale of cyberattacks continue to rise worldwide, as demonstrated last year by a breach that compromised data of 50 million Facebook users.

Retirement plans pose a new risk. Lawmakers are keen to protect the personal information of defined contribution plan participants. Recently, Sen. Patty Murray (D.-Wash.) and Rep. Bobby Scott (D.-Va.) asked the U.S. Government Accountability Office to “examine the cybersecurity of the private retirement system.”

Fortunately for plan sponsors, record-keepers and other parties in the retirement services industry, the same solution designed to address the multiple problems stemming from the upsurge in small, stranded 401(k) accounts — auto-portability — can also augment existing practices that protect plan participants’ personal data.

Auto-portability is the routine, standardized and automated transfer of a retirement plan participant’s 401(k) savings account from their former employer’s plan to an active account associated with their current job. This solution is underpinned by paired “locate” and “match” algorithms which work together to locate participants with multiple 401(k) plan accounts, confirm their identities, obtain consent for rolling over their stranded accounts. These accounts can exist in former employer plans or rolled into safe-harbor IRAs before they're moved into active accounts in their current employers’ plans. In addition, consolidation can include a roll-in to the participant’s current employer plan.

The act of consolidating accounts reduces the number of small accounts in the 401(k) system through auto-portability, which makes plan participant data more secure. Consolidating a participant’s multiple 401(k) accounts reduces the number of systems that store a participant’s data, and also encourages participants, sponsors and record-keepers to become more engaged when it comes to keeping track of accounts.

Auto-portability meets cybersecurity best practices

While there is currently no central legal framework regulating cybersecurity in the retirement services industry, the SPARK Institute published a compilation of recommended cybersecurity best practices for retirement plan record-keepers in 2017.

Auto-portability, which went live that same year, operates in conformance to the SPARK Institute’s cybersecurity recommendations.

For example, the SPARK Institute, a retirement policy center in Simsbury, Connecticut, issued 16 security control objectives, including the practice of encryption, which requires protection of both “data-in-motion and data at rest.” The institute suggests that the same data protection risk management standards be applied to suppliers. To address cybersecurity, the institute suggests these steps:

• Encrypt all sensitive information subject to auto-portability using Advanced Encryption Standard 256-bit encryption, an industry standard developed by the National Institute of Standards and Technology. There is no known type of cyberattack that can read AES-encrypted data without having the cryptographic key.

• Never combine a Social Security number with other personally identifiable information in any single file transfer. The objective should be to ensure there is never enough personal data in any single transmission for a hacker to use to steal an identity. In addition, any file with personal information should never include the identity of either the plan’s sponsor or the record keeper. That further thwarts a hacker from accessing an individual participant’s retirement account.

• Know that auto-portability supports multiple methods of exchanging secure data.

• Ensure that any information flagged during the locate-and-match process that doesn’t adhere to certain criteria requires additional verification to confirm an identity.

• Conduct full address-location searches to ensure that the correct participant is found and properly matched to multiple accounts.

When participants strand 401(k) savings accounts in former-employer plans, and nothing is done to transport them to active accounts in their present employers’ plans, there’s a strong chance that the worker may fall victim to a cybercrime.

Plan sponsors can protect themselves and their participants from hackers, and strengthen their overall cybersecurity preparedness, by implementing auto-portability to cull small accounts and missing participants.