The Facebook / Cambridge Analytica scandal, unearthed in March 2018, has heightened Americans’ awareness of privacy, data breaches and overall security. The London-based political consulting firm, which filed for bankruptcy two months later, compromised some 87 million Facebook users’ personal data, and has caused concern over how much of their personal information is floating around “out there”.
“Fraudsters” or “bad actors” (let’s call them what they are… CRIMINALS) have our data. In addition to the amount of data that we knowingly disclose, there is even more personal information that is unknowingly shared or stolen through large scale breaches. Target, Home Depot and Lord & Taylor are just a few retailers, in as many years, in addition to Experian, the credit reporting agency, whose data breaches have placed customer’s birthdates, social security and credit card numbers on the dark web, that there is enough information for cyber criminals to do serious damage.
Technology, encompassing social, productivity and shopping apps, provide daily conveniences that could be difficult to live without in the 21st century. For the conveniences, users sacrifice privacy and personal data. The amount of data we relinquish, knowingly or in most cases, unknowingly, is almost beyond comprehension. And, how the data is to be used and protected is hidden in lengthy user agreements that we blindly accept.
For most Americans, our 401(k)/403(b) plan is our largest asset outside (outside of home ownership). So, how susceptible are 401(k)/403(b) plans to cyberattacks? For many of the largest providers, it is not uncommon for them to experience as many as three million fraudulent attempts every day. Cyber-attacks are a constant threat to retirement plan recordkeepers.
Every year, the industry spends tens-of-millions of dollars to stay ahead of the increasingly sophisticated attacks.
Qualified retirement plans, including 401(k)/403(b), have features built in to help restrict fraudulent access to retirement funds. For example, most plans do not allow in-service withdrawals when participants are under 59 ½, the normal retirement age. Recordkeepers too have safeguards in place to ensure unauthorized persons cannot direct monies be transferred to a different account or mailed to a new address. Every year, the industry spends tens-of-millions of dollars to stay ahead of the increasingly sophisticated attacks.
The recent COVID-19 crisis has led to congress passing the CARES Act. The CARES Act allows Plan Sponsors to adopt features to increase loan amounts and/or offer penalty-free withdrawals for those affected by COVID-19. This means that some of the typical red-flags for requesting monies (under age 59 ½ for example) from a retirement plan have been removed.
Security of retirement plan assets should not solely fall on the recordkeeper. Participants can (and should) take steps to thwart fraudulent attempts to access their retirement plans.
The most effective way for participants to take advantage of the recordkeepers’ built in safeguards is to register their account online. The majority of retirement plan providers now offer dual authentication features that dramatically cut down the probability of fraudulent activity. In order for these features to work, the participant must have registered their account online. Those participants eligible for normal distributions, but do have not have access to their account online, are the most susceptible.
In the event a participant reports their identity has been stolen you can walk them through the following checklist.
• Change all passwords… and ensure they’re strong. There are a number of free or pay-for-service password management software applications available that encrypt strong, unique passwords for each site you visit. Dashlane, LastPass and Sticky Password are just a few.
• Contact the Federal Trade Commission (FTC) and file a police report
• Put a freeze on credit. A credit freeze does not stop fraudulent attempts to access accounts, but it limits who can view your credit report. In the event an unauthorized person has their information and tries to establish a new line of credit, an issuer will not be able to view the credit history and then be less likely to issue additional credit. This is typically offered at no cost to identity theft victims. Freeze the credit reports with all three credit rating agencies and know the thawing process.
• Enroll in credit monitoring. These services will help track any new accounts that may be opened fraudulently. Also, services are typically offered at no cost for identity theft victims.
• Call the plan provider and notify them of the breach. Request additional layers of authentication and stricter requirements for disbursing funds.
For more information, www.identitytheft.gov is a great resource with steps to create and track a recovery plan to assist in the process. With one-in- four Americans having experienced some sort of identity theft, it is important to know it doesn’t have to be a debilitating experience.
At Fiducient Advisors, we have a team dedicated to review recordkeepers to ensure safeguards taken in cyber security are reasonable and up to industry standards. If you have questions, please contact any of the associates at Fiducient Advisors
The information contained herein is confidential and the dissemination or distribution to any other person without the prior approval of Fiducient Advisors is strictly prohibited. Information has been obtained from sources believed to be reliable, though not independently verified. Any forecasts are hypothetical and represent future expectations and not actual return volatilities and correlations will differ from forecasts. This report does not represent a specific investment recommendation. The opinions and analysis expressed herein are based on Fiducient Advisor research and professional experience and are expressed as of the date of this report. Please consult with your advisor, attorney and accountant, as appropriate, regarding specific advice. Past performance does not indicate future performance and there is risk of loss.