Those of us who work with company-sponsored defined contribution retirement plans have become familiar with the word “friction.” It refers to little things that get in the way of participants contributing to or increasing their contribution to the retirement plan. Things such as logging on to a website or remembering a PIN or password qualify as friction. Of course, the best way to reduce friction is to take advantage of the many technological advances in the way we access our accounts. Most of the advances are welcome as they do have the ability to help reduce friction and improve participation and engagement in the retirement plan. “Alexa, how does my balance compare to other people my age? Alexa, how does my contribution compare to other people my age? Alexa, increase my contribution by 2%.”
Certainly with these many advances there is an increased threat to the security of plan assets. While many are thrilled about the idea of improving outcomes, we as fiduciaries must be more and more vigilant when it comes to keeping the assets of the plan secure. A transaction that once required paper, a signature, and review by one or more individuals, can now be performed by speaking into a device in your home.
Some plan sponsors I have spoken to have an immediate reaction that may sound something like, “Well, I’ll just turn that feature off.” Some are not fully accepting that the risk is legitimate. All agree though that while there is a high degree of confidence in the cybersecurity of their own organization and their recordkeeper (real or perceived), none are comfortable with the ability of their individual employees to safeguard their information from cybercriminals.
Whether or not the loss of a participant account balance is a fiduciary loss will depend on the facts of the case. So let’s follow this train of thought for a moment. Employee Joe Smith has his identity compromised in some other part of his cyber life (Twitter, LinkedIn, Target, Gmail, or Facebook). He happens to use the same username and password combination that was stolen for his 401(k) plan with Fidelity. The thief will use computer programs called “bots” to run this password combination through the largest financial institutions first (Chase, Bank of America, Fidelity, Vanguard), and, voila, a hit on the Fidelity site. From there the thief liquidates (distributes) Joe’s $320,000 retirement plan balance. Who is going to make Joe whole? Is this a fiduciary loss? If not, so what? Are you going to tell the participant, “Sorry, you’re out $320,000.”? Other articles will touch upon the importance of indemnifications between the fiduciaries and the company, the company and the recordkeeper, etc. The insurance folks will touch on the importance of coordination of coverage – Is it fiduciary liability or cyber liability insurance? What are the terms, exclusions? I’d like to focus on the loss-control aspect going forward.
Everywhere we work, companies accept a certain amount of risk, offload the risk to a third party – or some combination of both. Whatever the risk strategy, most organizations do whatever they can to mitigate the risks. This is commonly referred to as “loss control.” We teach folks how to drive a forklift, to wear safety goggles, to sit properly in their chairs. We hire third parties to help us manage our fiduciary risk – yours truly. So what can be done to help mitigate the risk of cyber theft of an individual account of a corporate retirement plan?
First, most companies provide some level of training to their employees regarding electronic data security, using social media, and privacy and protection of data. This type of training should absolutely include training around protecting individual employee data and the importance of protecting their 401(k) plan data.
Second, and this is covered by other individuals in this issue, make sure the vendor has controls in place. Verify that they’ve tested their systems, how they share data with third parties (intranet portals, HRIS systems, third-party administrators, financial wellness vendors) and how they plan to be accountable for any breaches.
Finally and most importantly, engage the participants in the retirement plan. A couple of vendors have artificial intelligence that learns the behavior of participants when they log on to the website, or it recognizes their voice when they call in to the call center. If someone other than the participant tries to navigate the website or call into the call center, red flags will go up. This is phenomenal first-defense technology, save for one very important detail – most participants (higher than 80% at some companies) have never logged on or called in. Yikes! This is one of the first things we do with clients of Westminster Workplace Solutions: have the participants log on or call in. At the very least, we are helping create a baseline for security. As with most things, knowledge and engagement will help solve a lot of problems. Once the participants are engaged in the retirement plan, the benefits both they and the plan sponsor will see go well beyond cybersecurity risk mitigation. With engaged participants, the retirement plan has the ability to go from a must-have benefit to a secure, life-changing tool, with employees who are less stressed financially and who understand their employer cares about their financial wellbeing.