What Are the DOL Rules for 401(k) Cybersecurity?

Keeping financial accounts safe from cyberattacks has become more important than ever as Internet crimes continue to rise. The Federal Bureau of Investigation estimates that cybercrime cost its victims $6.9 billion in 2021.

If you have a 401(k) or another plan covered by the Employee Retirement Income Security Act (ERISA), you may be wondering whether those accounts are safe. In 2021, the U.S. Department of Labor (DOL) issued new cybersecurity guidance designed to protect plan sponsors and participants from cyberattacks.

Key Takeaways

Internet crime cost its victims $6.9 billion in 2021, according to FBI data.
Though they’re less frequently the targets of cybercrime attacks, 401(k) plans and other retirement accounts may still be susceptible to fraud or hacking.
The Department of Labor instituted new cybercrime guidance in 2021 for plan sponsors, fiduciaries, record-keepers, and plan participants.
If you have a 401(k) plan at work, there are several things you can do to protect yourself against cybercriminals.

Understanding 401(k) Fraud and Cybercrime

Cybercrime is something many people may think of as exclusively linked to bank or credit card accounts. For instance, many high-profile hacking reports in recent years have involved the theft of debit and credit card information from retailers’ point-of-sale systems. Other common types of cybercrime involve email or text phishing scams, and malware attacks designed to steal online or mobile banking login information.

Retirement accounts, including 401(k) plans, are not immune from being targeted, however. Fraudsters can use a variety of tactics to target workplace plans and drain employees’ retirement savings. One of the most common types of fraud involves account takeover. Here’s how it works:

A cybercriminal obtains access to an individual’s 401(k) plan login information, either through a phishing scam, a malware attack, or a combination of the two.
They use that information to log in to the employee’s 401(k) plan and change certain details of the account, such as the contact phone number and address or the login password.
Assuming those changes go unnoticed, the fraudster can then initiate transfers of funds from the 401(k) to an externally linked account or have paper checks mailed to the updated address.

Account takeover fraud can also happen with other types of accounts, including individual retirement accounts (IRAs), taxable brokerage accounts, and bank accounts.

Important

Though bank and credit card accounts enjoy federal fraud protections, those generally do not extend to 401(k) plans and other retirement accounts.

DOL 401(k) Cybersecurity Guidance

In 2021, the Department of Labor introduced new guidance to help protect 401(k) plans and other ERISA-governed retirement plans against cyberfraud. This guidance is designed to assist plan sponsors, fiduciaries, record-keepers and plan participants in safeguarding 401(k) plans from identity theft and other types of cybercrime. The guidance focuses on three specific areas: tips for hiring service providers, cybersecurity program best practices, and online security.

Guidance for Plan Sponsors

The new DOL rules encourage plan sponsors to work with service providers that follow strong cybersecurity practices. Specifically, the DOL suggests that plan sponsors do the following when vetting providers:

Ask about the provider’s information security standards, practices, and policies and compare them to industry standards other financial institutions use.
Look for providers that follow a recognized standard for information security.
Ask the provider how it validates its practices and what level of security standards are implemented.
Evaluate the provider’s track record within the industry and ask about any past security breaches the provider may have experienced.
Research whether the provider has insurance policies in place to cover cybersecurity losses, including situations in which plan participants’ accounts have been hacked.
Ensure that any contract with a service provider requires ongoing compliance with cybersecurity and information security standards.

Your plan sponsor may be able to provide you with information about the cybersecurity measures it implements upon request.

Guidance for Fiduciaries and Record-Keepers

Under the DOL’s rules, 401(k) plan fiduciaries and record-keepers also bear responsibility for ensuring that they’re doing their part to mitigate cybersecurity risks. The list of recommended best practices includes the following:

Have a formal, well-documented cybersecurity program.
Conduct annual risk assessments in a prudent manner.
Schedule annual third-party audits of security controls.
Clearly define and assign information security roles and responsibilities.
Put strong access control procedures in place.
Ensure that assets or data stored in the cloud or managed by third-party providers are subject to appropriate security reviews and assessments.
Conduct periodic cybersecurity awareness training.
Implement and manage a secure system development life cycle (SDLC) program.
Create an effective business resiliency program that addresses business continuity, disaster recovery, and incident response.
Encrypt sensitive data at all times.
Implement strong technical controls in alignment with best security practices.
Respond appropriately to past cybersecurity incidents.

Guidance for Plan Participants

The DOL also offers tips for 401(k) plan participants to help them do their part in keeping their accounts safe. Many of these tips are the same strategies that are encouraged to protect online banking information. Here’s what the DOL suggests:

Routinely monitor your account, looking for any unusual activity or transactions that you don’t recognize.
Use strong and unique passwords to log in to retirement accounts and update them regularly.
Set up multifactor authentication if your plan sponsor or servicer offers it.
Keep personal contact information listed for your account up to date.
Close or delete unused financial accounts.
Avoid the use of public Wi-Fi to access financial accounts.
Be wary of phishing scams.
Use antivirus software to protect your devices and regularly update it.

Tip

If you believe your 401(k) has been breached, contact your plan sponsor as soon as possible to report it. You can also report cybercrime to the FBI and the Cybersecurity & Infrastructure Security Agency (CISA).

Can a 401(k) Be Hacked?

A 401(k) can be hacked if someone is able to gain access to your account login information, including your user ID and password. Hackers can use a method known as account takeover to siphon off funds from someone’s 401(k) plan just as they could with a bank account.

What Happens if Your 401(k) Is Stolen?

If you believe someone has fraudulently withdrawn money from your 401(k) or a similar workplace retirement plan, the first step is contacting your plan sponsor. They should be able to advise you on what to do next, which may involve reporting the fraud to the appropriate federal authorities. Whether you’ll be able to recover stolen 401(k) funds may depend on the plan sponsor’s policies for addressing cybercrime.

How Do I Secure My 401(k)?

Some of the best ways to secure your 401(k) account include using unique passwords, not sharing your login information with anyone you don’t know, and avoiding the use of public Wi-Fi when accessing your accounts online. You can also set up alerts to notify you of new activity or changes to your account and learn how to spot potential phishing scams that may land in your email inbox.

The Bottom Line

You work hard to contribute money to your 401(k) for retirement, and the last thing you want is for cybercriminals to steal it. The unfortunate reality is that 401(k) plans and other workplace retirement plans may be just as vulnerable to cyberattacks as other types of financial accounts. The DOL’s new 401(k) cybersecurity guidance is a step in the right direction for protecting these accounts. Remaining diligent and monitoring your accounts regularly can help keep your retirement savings secure.