Senior Counsel
Cyber-attacks on Section 401(k) plans and their participant accounts are not only increasing in number but, with the use of AI, they are increasing in sophistication. Plan fiduciaries, including employers which sponsor 401(k) plans, need to take steps to protect plan assts from these risks by implementing appropriate cybersecurity measures. All employees (not just HR staff) need to be aware of cybersecurity risks because those risks cannot be managed solely by IT security protocols such as secure messaging and multi-factor authentication.
The 401(k) cybersecurity risks include phishing, which is the most common threat, and it is increasingly successful with the use of AI deepfake emails, voicemails and even videos. AI allows bad actors to access 401(k) accounts from participants and HR staff with deepfake impersonations of plan administrators, service providers, company officers and, in the case of bogus participant benefit withdrawals, from participants themselves. Consider the impact of a video call depicting someone who looks and sounds like the company CFO or a participant directing HR staff to implement a transfer or withdrawal of plan assets. Fiduciaries need to protect themselves from potential personal liability by having a rigorous verification process in place with respect to any participant benefit withdrawal or transfer of plan assets (see Cybercriminals May Be Stalking Your 401(k) Plan regarding how just a phone call could prevent an unauthorized benefit withdrawal).
Other 401(k) cybersecurity risks include ransomware attacks, unauthorized access to accounts through information hacked from service providers like TPAs and recordkeepers, and “credential stuffing” where participant credentials on the dark web are tested by cybercriminals on various accounts including 401(k) accounts. Individuals who use duplicate passwords across several accounts can be vulnerable to this attack. So, part of employee compliance includes using passwords that are both unique and strong.
The Department of Labor issued cybersecurity guidelines for retirement plans in 2024 (see DOL Cybersecurity Guidance). Here are some of the basics:
- Backup all plan data to mitigate the risk of a ransomware attack;
- Educate employees on the cybersecurity risk to their 401(k) accounts by phishing attacks and make sure they use appropriate passwords;
- Implement internal verification procedures for all transfers of plan assets;
- Use multi-factor authentication for 401(k) account access; and
- Select service providers with good cybersecurity practices and have appropriate cybersecurity provisions in your service contracts with those providers.
As ever, consider fiduciary liability insurance for plan fiduciaries, including the sponsoring employer, to mitigate the risk of any blowback from a cyber-attack on your 401(k) plan.
Andrew S. Williams has practiced in the employee benefits and ERISA arena since ERISA was passed in 1974. He has been recognized by his peers through a survey conducted by Leading Lawyers Network as among the top 5 percent of Illinois lawyers in Small, Closely and Privately Held Business Law and Employee Benefit Law. He maintains a website, www.BenefitsLawGroupofChicago.com, with additional updates, commentary and analysis on benefits and employment topics.
The above material is intended for general information purposes and should not be relied on or construed as professional advice. Under the applicable Illinois Rules of Professional Conduct, the contents of this e-mail may be considered to be attorney advertising. The transmission of this information is not intended to create, and receipt of it does not create a lawyer-client relationship.