VonLehman is now part of Dean Dorton. Click here to learn more about the merger.

Cybersecurity Risks for Retirement Plans

04/23/2021 Kerri Walz

Every year, tens of millions of people fall victim to cybercriminals and, unfortunately, many of them don’t realize what is happening until it is too late. From social security theft to full identity fraud, cybercriminals can do a lot of damage with just a bit of your personal information. For companies, the risks associated with cybersecurity are on a much higher level. Not only do most companies have access to large sums of money, but they also harbor the private information of their employees and customers. A single attack from a cybercriminal could easily put many companies out of business, especially in these trying times. One of the most prevalent risks for companies comes in the form of their employees’ retirement plans. If left unchecked, these accounts can easily be poached. In fact, the Department of Labor recently published guidance surrounding cybersecurity best practices for retirement plans. We encourage readers to review that guidance in conjunction with this article.

Auto Portability

In order to comprehensively understand the cybersecurity risks for both your company and your employees, it is important to understand the associated terminology. As people move from one company or job to the next, their 401(k)s typically move with them. However, not all employees take their 401(k)s with them when they change jobs which increases cybersecurity risks. To help reduce this risk, auto portability is the standard method of transferring an individual’s retirement account from one employer to another. This is done through a series of algorithms that locate these accounts, confirm the identity of the individual in question, and then migrate those funds into an active account. By doing this, companies can cut back on the potential hemorrhage of money that can be stolen by cybercriminals if these retirement accounts sit stagnant for too long. Cybercriminals will oftentimes target smaller accounts with fewer funds that have been left for months or years without contribution. By quickly migrating these accounts and unifying them into one complete 401(k) account, companies can cut back on potential risks both to them and their employees.

Auto portability has also been a hot topic in the world of retirement plans of late because many believe it will help decrease retirement savings shortfalls as there will be less cash-outs. The DOL issued regulatory guidance regarding auto portability in both November 2018 and July 2019. Many 401(K) plan providers’ have not yet adopted this feature; however, plan sponsors should be aware of this and continue to follow new developments regarding the topic of auto portability.

Encrypt Sensitive Information

Sensitive information is a literal goldmine for cybercriminals, and it is important to always encrypt your information using 256-bit encryption. There has never been a successful cyberattack on this type of encryption without the cryptographic key, which can help you save your company and retirement plan millions of dollars in potential losses.

Limit the Information Sent

Never combine a large amount of sensitive information in a single transfer of data. If a hacker gets ahold of an employee’s social security number and a few other basic pieces of information, they could easily drain accounts in a matter of seconds. Keep in mind that if your company is found liable for this information leak you could be on the hook for millions of dollars in damages.


Plan sponsors should educate themselves on security threats as well as provide education for participants. Plan sponsors and participants should understand risks associated with easy to crack passwords and that sharing passwords creates additional dangers. Additionally, while many participants contribute to their 401(K) plans, they don’t check their activity regularly. Participants should be encouraged to review their retirement plan account detail just as they do their bank and credit card statements. Not doing so could mean overlooking suspicious activity. Likewise, it is also imperative that plan sponsors review the overall plan statements on a regular basis to ensure no suspicious activity. It is also important for plan sponsors to understand what their service providers are doing to address these risks and, if the measures are insufficient, where they may need to implement additional controls, especially as it relates to withdrawals from the Plan.

By following these simple steps, you could easily help save your company and your employees from devastating potential losses.

For additional information or guidance related to this article, contact Kerri Walz at kwalz@vlcpa.com or 800.887.0437.

Have a Question? Contact Us

Contact Us