By Thomas Hawkins | May 30, 2019

How Auto Portability Serves Participants’ Best Interests: Part 5

In this series, I identify five key reasons why an auto portability program serves the best interests of plan participants.


In part 5, my final installment of the series, I explain how auto portability can mitigate retirement-related cybersecurity risks.

How Auto Portability Can Mitigate Retirement Savings Cybersecurity Risks
With trillions of dollars in assets to safeguard, the retirement services industry is intensely focused on the issue of cybersecurity, with Congress, recordkeepers and regulatory agencies all getting into the act:

  • On February 12, 2019, Sen. Patty Murray (D.-Wash.) and Rep. Bobby Scott (D.-Va.) sent a letter to the U.S. Government Accountability Office (GAO), asking the organization to “examine the cybersecurity of the private retirement system.”
  • In December 2017, the SPARK Institute’s Data Security Oversight Board (DSOB) identified 16 security control objectives, providing a cybersecurity best-practices framework for 401(k) recordkeepers.
  • In November 2016, the ERISA Advisory Council report Cybersecurity Considerations for Benefit Plans provided plan sponsors and fiduciaries with tips to minimize risks associated with retirement benefit services providers.

Despite the intense focus, a fundamental element has been overlooked in the industry’s drive to secure retirement assets: auto portability. Driven by the simple-but-powerful principle of consolidation, auto portability can lower retirement savings cybersecurity risks by:

  1. Reducing the cyber-threat attack surface
  2. Minimizing fraud-prone, small-balance retirement savings accounts
  3. Securely moving retirement savings forward

Reducing the Cyber-Threat Attack Surface
A cyber “attack surface” is the sum of the different points, or attack vectors, that a cyber-intruder can attempt to leverage to compromise security. Since a larger attack surface presents an attacker with more opportunities to exploit, shrinking the surface’s size is an important goal.

Following this principle, participants with multiple, legacy 401(k) retirement savings accounts housed on multiple 401(k) recordkeeping platforms present a larger attack surface than individuals who have consolidated their retirement savings accounts.

Auto portability, via consolidation, significantly reduces the odds of exposure for millions of 401(k) participants. According to the Auto Portability Simulation, widespread adoption of auto portability would result in 135 million participants consolidating their retirement savings over a generation, vs. only 9 million participants without the feature.

Minimizing Fraud-Prone, Small-Balance Retirement Savings Accounts
Loss prevention experts warn us that “fraud starts small.” This concept clearly applies to small-balance retirement savings accounts, which can offer cyber-thieves more-tempting targets, as system controls and monitoring may be lax, and represent lower priorities.

For 401(k) plan sponsors and recordkeepers, reducing the number of small-balance accounts becomes vital to avoid becoming a breeding ground for low-level cyber-fraud, which can inevitably lead to bigger problems. Auto portability, through consolidation, can reliably achieve this outcome.

Securely Moving Retirement Savings Forward
When participants strand 401(k) savings accounts, the likelihood of becoming a victim of cybercrime increases over time.

By contrast, auto portability relies upon highly-secured, transient data exchanges to ensure that these accounts are moved forward quickly, safely and securely, employing the following key cybersecurity features:

  • All sensitive information is encrypted using Advanced Encryption Standard (AES) 256-bit encryption, an industry standard.
  • Social security numbers are never combined with other personally identifiable information (PII) in any file transfer. Thus, there is never enough PII in any data transmission for a hacker to steal an identity.
  • Any file with personal information never includes the identity of either the plan sponsor or the recordkeeper, further thwarting a hacker from accessing an individual participant’s retirement account.
  • Each participating service provider has their own, dedicated and secure channel for transmitting participant data.

Auto Portability: A Crucial Element in Retirement Cybersecurity
With each new sensational data breach, we’re reminded that it’s better to be safe than sorry. By adopting auto portability, America’s 401(k) system – including participants, plan sponsors and service providers – can help mitigate cybersecurity threats through the power of consolidation