Opinion: Protecting 401(k) plans from fraud in the digital age

Stephanie J. Rice

Fraud. A word most professionals associate with distant headlines or criminal enterprises – not their own employee benefit plan. But as digital threats grow more sophisticated, fraud has become an increasingly personal risk, especially in the realm of retirement savings. Today, plan sponsors must navigate an evolving landscape of cybersecurity threats while fulfilling their fiduciary duties under the Employee Retirement Income Security Act of 1974.

With approximately 70% of private industry workers having access to defined contribution plans, according to the U.S. Bureau of Labor Statistics, it’s clear that businesses recognize the importance of helping employees achieve retirement security. But how secure are those retirement funds?

Fifteen years ago, plan sponsor fiduciary responsibilities were largely focused on:

• Ensuring compliance with Department of Labor and IRS rules and regulations
• Operating the plan in accordance with its governing documents
• Managing investment options prudently
• Implementing internal controls to safeguard against improper loans, distributions and contributions, mainly from internal threats

However, in today’s digital environment, new risks demand attention. Cyberattacks and identity theft are no longer abstract threats – they are real, recurring risks that can lead to unauthorized distributions, data breaches and financial loss.

Emerging threats
Modern fraud threats include:

• Ransomware attacks on plan sponsors, payroll providers or recordkeepers, in which access to critical systems is blocked until a ransom is paid – often with no guarantee of recovery
• Compromised login credentials, leading to unauthorized loans or distributions
• Phishing and malware attacks that extract sensitive information from payroll systems or participant accounts
• Social engineering, where fraudsters impersonate trusted contacts to gain access to protected data
• Insider threats, such as employees with excessive access exploiting their position

Plan sponsor responsibilities
Fiduciary duties under ERISA Section 404 require plan sponsors to act prudently and solely in the interest of plan participants. That now includes strong cybersecurity governance. The DOL’s Employee Benefits Security Administration outlines the following best practices for plan fiduciaries:

• Conduct annual cybersecurity risk assessments
• Establish a formal, documented cybersecurity program
• Undergo annual third-party audits of security controls
• Assign clearly defined roles and responsibilities for information security
• Implement logical and physical access controls
• Ensure third-party vendors follow security protocols and are subject to review
• Train staff on cybersecurity awareness
• Develop and test business continuity and incident response plans

Empowering plan participants
Fraud prevention doesn’t stop at the plan sponsor. Participants also must take responsibility for protecting their accounts. The DOL offers practical tips for account holders:

• Register, set up and actively monitor online retirement accounts
• Use strong, unique passwords and update them regularly
• Enable multifactor authentication
• Verify that personal contact information is accurate and current
• Avoid accessing accounts over public Wi-Fi
• Stay alert to phishing emails and suspicious links

Participants who do not engage with their accounts – such as failing to register or regularly monitor activity – are statistically more vulnerable to fraud.

A joint effort
Plan sponsors should educate employees through regular communications, onboarding materials and cybersecurity training. Partnering with recordkeepers and third-party administrators to offer these resources can further reduce risk.

Ultimately, protecting retirement plans requires a collaborative approach between fiduciaries, third-party vendors and individual participants. Cyber threats are evolving, and so must our strategies for detection, prevention and response. Staying informed and implementing best practices is no longer optional – it is a core fiduciary obligation.

CPA firms who specialize in employee benefit plans can help with prevention efforts as well as compliance. Services including audits, internal control evaluations, and agreed-upon procedure engagements tailored to the unique risks you face as a plan sponsor can play a key role in getting ahead of fraud threats and protecting your employee benefit plan assets.

Stephanie J. Rice is a partner at Elliott, Robinson & Co. LLP. She can be reached at srice@ercpa.com.