By Ricki Ingalls
With $10 trillion in 401(k) and other defined contribution retirement assets to safeguard, retirement industry regulators are intensely focused on the issue of cybersecurity.
The latest developments signifying regulatory resolve include enforcement actions by the Securities and Exchange Commission (SEC), who in August 2021 sanctioned 8 firms in three separate actions (links here, here and here), for failing to have cybersecurity policies and procedures in place, potentially leading to compromised private client data. The SEC’s actions were preceded in April 2021 by the Department of Labor (DOL), who issued three guidance documents for plan sponsors, plan fiduciaries, recordkeepers and plan participants on best practices for maintaining cybersecurity.
Amid these actions, the retirement industry should expand their cybersecurity focus to actively address another vitally important element: the consolidation of small-balance retirement savings accounts, achieved by improved plan-to-plan portability.
Minimizing Fraud-Prone, Small-Balance Forgotten Accounts
A key principle in loss prevention is that “big frauds start small.” In our retirement system, nowhere is this axiom more applicable than for small-balance retirement savings accounts. In recent years, there’s been a very well-documented explosion of both small-balance 401(k) accounts and small-balance IRAs, which can present tempting targets, as system controls and monitoring can often be lax.
In cybersecurity terminology, the presence of vast numbers of small, unconsolidated retirement savings accounts scattered across thousands of plans and housed on a myriad of recordkeeper platforms creates a larger cyber “attack surface” -- the sum of the different points, or attack vectors, that cyber-intruders can attempt to leverage to compromise security.
That’s where consolidation comes in. Consolidation is, by definition, the combination of two accounts into one, resulting in one less retirement savings account. Combining retirement savings accounts translates into a smaller cyber attack surface.
How Auto Portability Promotes Retirement Cybersecurity
Auto portability, via consolidation, significantly reduces the odds of exposure for millions of 401(k) participants. Data from the Auto Portability Simulation shows that, over 40 years, the adoption of auto portability would result in a net increase of 124.3 million plan-to-plan account consolidations.
That level of consolidation activity means that securing personal information is paramount, requiring the application of stringent cybersecurity standards. To achieve that, auto portability’s cybersecurity has been built to comply with NIST Special Publication 800-171, a security framework that is specifically designed to protect confidential information.
To effect consolidation, auto portability relies upon highly secure, transient data exchanges to ensure that accounts are located, matched, and moved forward quickly, safely and securely, employing the following key cybersecurity features:
- Sensitive data, including all personal information is continuously protected with strong encryption, whether the data is in-transit or at rest.
- Social security numbers are not provided with any other personally identifiable information (PII) in data transfers. Thus, there is never enough PII in any data transmission for a hacker to steal an identity.
- Any file containing encrypted personal information never includes the identity of either the plan sponsor or the recordkeeper, further thwarting a hacker from accessing an individual participant’s retirement account.
- Each participating service provider has their own, dedicated and secure channel for transmitting participant data.
Auto portability stands in stark contrast to other current or proposed policies that do not promote consolidation and do little to improve cybersecurity, including:
- Forcing out small 401(k) balances into dead-end safe harbor IRAs.
- Creating a government-run lost and found to warehouse unclaimed balances.
Consolidation: A Vital Element for Retirement Cybersecurity
It’s clear that account consolidation can lower retirement savings cybersecurity risks by minimizing the sheer number of fraud-prone, small-balance retirement savings accounts, and the best path to enabling consolidation – particularly for small balance 401(k) accounts – is via auto portability.