Are 401(k)s Vulnerable to Cyberattacks?

By Allstate Identity Protection

How are you saving for retirement?

More than 100 million Americans rely on employer-sponsored retirement savings plans like 401(k)s. In the process of using these benefits, enrollees share highly sensitive details — such as names, Social Security numbers, and bank account information — with plan providers and administrators.

If you’re one of them, you may have wondered what happens to that information once it’s collected. How is it stored and secured?

Unfortunately, it may not be safeguarded carefully enough. A 2021 federal watchdog report warns that some 401(k) investors and their affiliates aren’t adequately protecting personal information, putting plan holders’ privacy and life savings at risk.

Read on to learn more about what’s at stake, plus how Allstate Identity Protection can help companies and individuals protect what matters most — now and in the future.

Why are 401(k) plans vulnerable?

With more than $6 trillion in assets, 401(k) plans are an attractive target for cybercriminals.

It’s concerning, then, that a March 2021 report from the Government Accountability Office (GAO) found “significant cybersecurity risks” in how plan providers and administrators handle participant data.

Retirement accounts like 401(k)s are often overseen by several different parties, such as employers, administrators, financial advisors, payroll providers, and financial institutions. A cyber-attack on any of these groups could lead to losses for the targeted organization and its account holders.

These days, retirement savings plans are mostly managed online, with plan providers and administrators sharing and storing participant data digitally. Unfortunately, without proper cybersecurity measures in place, this can up the risk of exposure.

There’s no public data available on how many 401(k) accounts have been compromised. But it’s common knowledge that bad actors can use personal details to unlock financial accounts.

In recent years, 401(k) plan holders have made a number of legal claims about unauthorized account activity. Several of these claims are cited in the GAO report. One example alleges that between December 2018 and January 2019, a threat actor was able to obtain a plan participant's personal details and pull out $245,000 from their online retirement account.

The agency says more federal guidance is required to mitigate the risk of additional compromises.

What protections are in place?

While the United States doesn’t have a federal law governing data privacy, there are existing regulations designed to offer some protection.

For example, the Gramm-Leach-Bliley Act requires financial institutions to safeguard sensitive data.

But some of the third parties involved with retirement accounts — such as payroll providers — aren’t financial institutions or fiduciaries and may not be held to the same rules.

In April 2021, the Department of Labor (DOL) announced new cybersecurity guidance for plan sponsors and fiduciaries governed by the Employee Retirement Income Security Act.

But the GAO recommends the DOL go further by issuing additional guidance on how personal data should be handled by all of the entities involved in administering employer-sponsored retirement accounts, including those that aren’t fiduciaries.

Employers can take steps to protect 401(k)s

If you’re an employer and you sponsor a 401(k) program, check out the DOL’s cybersecurity guidelines:

• Tips for hiring a service provider with strong cybersecurity practices
• Cybersecurity program best practices

You can also add an extra layer of protection by offering our solution as an employee benefit.

Select Allstate Identity Protection plans include coverage for 401(k)s. We can help our members detect fraud with financial alerts triggered by account activity — and even reimburse funds stolen from employer-sponsored retirement savings plans.

With the right package in place, your workers won’t have to manage the recovery process alone if your company’s employer-sponsored savings plan is compromised in a security incident.

Individuals can take action, too

If you’re an individual looking to reduce the risk of fraud to your retirement accounts, see the DOL’s basic online security tips.

If you’d like to take additional steps to safeguard your 401(k) and your employer offers Allstate Identity Protection, be sure to enroll during open enrollment.

Once your account is active, visit the portal to link your 401(k) account for monitoring. Our fast alerts can let you know if something’s up, so you can act quickly to protect your nest egg.

If an issue does arise, customer support is available 24/7. Our dedicated restoration specialists work with third parties to handle time-consuming tasks, like making phone calls, notifying law enforcement, and filing paperwork and affidavits on your behalf.

Rest assured, we’ll stay on the case from start to finish — so you can face the future with confidence.

Want to protect your digital life? Enroll in Allstate Identity Protection to safeguard your data, identity and privacy today!

Learn More

"Are 401(k)s vulnerable to cyberattacks?" Allstate Identity Protection, https://www.allstateidentityprotection.com/content-hub/401ks-vulnerable-cyberattack-protection. Accessed December 01, 2021.