News of commercial database hackings involving personal information seems all too common. While many of these stories focus on bank and credit card accounts, many plan sponsors and participants do not realize that 401(k) plan assets may also be at risk. This can be a problem not only for participants, but sponsors as well. While no sponsor wants to see participants sustain financial hits, depending on how a cybertheft unfolds, sponsors could be left holding the bag.

Importance of monitoring

Sponsors should not only take precautions from their end, but regularly educate and warn participants about safety measures that they should be taking. Participants' infrequent monitoring of what is happening in their 401(k) accounts could make these accounts vulnerable. Indeed, sometimes participants are even encouraged to not worry about short-term fluctuations and volatility in their retirement accounts, and instead focus on the long run.

However, regular monitoring of accounts by participants is important. For example, one identity theft case tells the story of a plan participant who was recently divorced and moved out of the house, but did not update his address with the plan administrator or review his account. In the meantime, his ex-wife cleaned out his more than $42,000 balance.

The ex-spouse managed to hijack the account after opening mail from the plan administrator addressed to her ex-husband. She then made a fraudulent password change that was enabled by confidential information contained in the letter. The dispute was over whether or not the plan administrator could be held liable for the theft. The court ruled that the participant had to suffer the consequences of his failure to inform the plan of his change of address, as required by the plan and documented in the summary plan description (SPD).

Limits of protection guarantees

It is also critical for sponsors and participants not to be lulled into a false sense of security by plan service providers' customer protection guarantees. Be sure you and your participants understand the caveats that go with them. For example, one large bundled retirement plan service provider issues a broad warning that the company will "reimburse you for losses from unauthorized activity in covered accounts," but only when "occurring through no fault of your own."

What does that mean? For starters, the company assumes no responsibility for transactions on behalf of the participant carried out by the participant's own financial advisor. Those are deemed to have been authorized by the participant, whether they actually were or not.

Participants must also "adopt [the service provider's] recommended security practices," as outlined on the firm's website. Those include checking account information frequently and reviewing correspondence from the administrator promptly, but "no later than 30 days after that information is posted to your account or delivered to you."

In addition, the service provider reserves the right to determine the applicability of its customer protection guarantee "based on the facts of your situation." All of these combine to significantly limit the advisor's liability. Be sure to communicate this with your participants.

Role of sponsors

Plan sponsors also need to protect themselves from negligence on the part of participants. As noted in the case of the participant whose ex-wife stole his account balance, the plan sponsor was not held liable for the loss, thanks to its clear articulation of participants' obligations in the SPD. Review your SPD with your benefits specialist to make sure you, as the plan sponsor, are not left holding the bag in this type of situation.

Finally, sponsors must perform strict due diligence in assessing plan service providers' cyberfraud protection systems. This includes reviewing your own internal safeguards against plan administrative practices that could open the door to a breach.

Rewards of diligence

Without adequate vigilance, anybody can be a few clicks away from a retirement plan wipeout. Being prepared and diligent in reviewing your plan documents and educating your participants about their responsibilities for monitoring their accounts will help avoid losses and litigation for all parties.

Sidebar: Action steps for participants to avoid fraud

Besides monitoring their account regularly, what precautions should plan sponsors encourage their participants to take to safeguard their retirement savings account from loss by hacking? Participants should take the same steps they use to protect their other financial accounts, including:

  • Using strong passwords and changing them regularly;
  • Not using the same log-in ID and passwords for multiple websites;
  • Taking advantage of two-factor authentication for account access;
  • Rejecting the option of having the Internet browser memorize login information; and
  • Never sharing login information.

While participants have probably read these kinds of pointers many times, realizing that they are vital to protect their retirement plan accounts might come as a surprise to some. Make this a regular part of your plan's education to participants.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.