DOL's cybersecurity tips were needed, but 401(k)s shouldn't ask much from participants

Odds are, your personal information -- including Social Security number, birth date and financial account numbers -- have been compromised and sold on the dark web, multiple times.

That means that all that might keep your 401(k) or IRA from being plundered are tight cybersecurity and fraud prevention systems. With trillions of dollars in the U.S. retirement savings system and these accounts representing the bulk of many workers’ assets, much is potentially at stake.

That makes the recent cybersecurity guidance from the Department of Labor particularly important, and it is critical that plan fiduciaries and service providers understand their responsibilities and liabilities.

Earlier this month, after a recent report from the Government Accountability Office called for clarity, the DOL issued three pieces of guidance, noting that it expects plan fiduciaries to follow certain practices. The guidance includes a set of tips for hiring service providers, a long list of cybersecurity best practices (aimed at retirement-plan record keepers) and online security tips for account owners and beneficiaries.

The last one, while necessary, makes my stomach drop, a bit. Everyone should know the basics of safeguarding their data and have some idea about how to spot scams or potentially malicious links. The DOL encourages participants to set up and routinely monitor their accounts, use strong passwords and change them three times a year, use multi-factor authentication, keep personal contact information current, get rid of unused accounts, avoid using free WiFi, and know how to spot phishing attacks.

That is all excellent advice. But if this places much responsibility on workers, that isn’t a great result. Our massive defined-contribution retirement plan system has grown so large and covers so many people by virtue of it being nearly invisible to them. Automatic enrollment, all-in-one default investments and annual contribution increases were designed around inertia -- the lack of action workers take around their 401(k)s -- and those features have been incredibly successful.

But that also means that we can’t count on people regularly checking their accounts, reading the DOL’s tips or paying much attention to presentations their employers give about data security.

In other words, a system built around inaction shouldn’t expect people to become more involved with it, or much less bear responsibility for keeping their accounts safe.

And who is left holding the bag when an account is fraudulently emptied? Many plan providers have guaranteed to make participants whole, and there is insurance for both cybersecurity breaches and fraud. But it might not always be the case that a raided 401(k) will be replenished.

Several lawsuits in recent years have been brought over that issue by defrauded account owners.

“Our industry spends billions of dollars to protect participants’ assets,” said Tim Rouse, executive director of The Spark Institute. “Securing your assets for retirement is job one. Growing them is job number two.”

The industry group set up a data security oversight board five years ago, and it has a fraud-prevention team that has made more than a dozen proposals about participant education, intelligence gathering and sharing, as well as industry best practices, Rouse said.

“We all recognize that … a breach, a fraud or a stolen account for one member is reputational damage across the industry,” he said.

And of course, data breaches and account fraud are not the same things. It can be nearly impossible to tie an instance of an account being illicitly emptied to a specific cyberattack, Rouse noted.

Spark’s cybersecurity standards for members align well with those provided by the DOL, he said. The groups, like the regulators, place some emphasis on the role of the individual in data security and fraud prevention, although responsibility is much higher among record keepers and plan sponsors.

“This is going to be a shared responsibility,” Rouse said. For account owners who are lackadaisical about their data, the questions can be: “Were you completely negligent in your protection of your account security? Did you ignore all the warnings?”

Law firm Morgan Lewis wrote in an analysis of the DOL’s guidance that the tips for workers “can serve as a useful way to reiterate to plan participants and beneficiaries that they also have a responsibility to mitigate their exposure to cybersecurity events.”

Plan fiduciaries should periodically educate savers about the subject and reiterate “that the plan participants and beneficiaries bear responsibility for ensuring that they are taking precautions to secure their plan benefits from external threats,” the Morgan Lewis analysis read.

I would compare this with car insurance. Generally, comprehensive auto policies cover the cost of replacing a car, even if it’s stolen while unlocked with the keys left inside. That situation does not show great judgment by a car owner, but insurance coverage shows a lot of deference to victims.

And even with illegally obtained usernames, passwords and personally identifying information, would-be 401(k) thieves face hurdles such as multifactor authentication and having their login locations scrutinized by security teams.

“It’s incumbent on the plan sponsor to ask [record keepers], ‘What kind of coverage do you have? Does it cover me? Does it cover my participants?’” Rouse said. “It’s critical to know that. These policies are relatively new.”

Although there are strong regulatory and industry standards, it will be important for employers to carefully vet plan providers, based on their security practices and insurance coverage. Workers should also do everything they can to secure their data and accounts, but that shouldn’t determine whether they can be left empty-handed if their 401(k)s are stolen.