Cyberthieves are going after the more than $17 trillion in retirement savings tucked away by 54 million Americans, but it is almost impossible to know the range and extent of their schemes, industry insiders say.
That’s because retirement plan sponsors and vendors are not required to report cyberattacks to 401(k) and IRA account holders or the U.S. Department of Labor.
In fact, the Employment Retirement Income Security Act, or ERISA, a massive set of laws, rules and regulations covering employee benefits, does not provide any specific guidance to employers and middlemen about what they should be doing to promote better cybersecurity.
“Plan vendors won’t disclose attacks out of fear of liability and revealing their vulnerabilities,” Jana Steele, a senior vice president at Callan Associates, a consulting firm specializing in retirement fund management, told RealClearInvestigations. “It’s kind of a gaping hole.”
Unlike the well-publicized data breaches at Yahoo and Equifax and ransomware attacks like WannaCry, little is known about the extent to which U.S. retirement funds have been impacted. John Vogt, a prominent Washington, D.C., attorney, published an in-house “alert” about the threat last year, “Data Breach Risks for 401(k) and Retirement Plans.” “There has been a recent spike in attacks on 401(k) and retirement plans by cyber criminals,” he wrote. “Some have been reported publicly, and we are aware of several nonpublic incidents as well.”
This could be troubling for retirement plan sponsors, who have a strict federal legal obligation to protect employee savings under ERISA.
His warnings were echoed this year in a report from Callan Associates: “More worrisome for many plan sponsors, the focus of cyberattacks in the defined contribution world has shifted from hardened targets like recordkeepers and custodians to plan sponsors, which often lack the extensive cybersecurity defenses of their vendors.”
It is not yet clear who is behind these attacks and whether any have successfully stolen money. None of the lawyers, plan sponsors or vendors contacted responded to requests for comment.
The lack of reporting requirements is troubling at a time when cyberattacks are on the rise across the board. Homeland Security Secretary Kirstjen Nielsen last week said the biggest threats to national security are now online.
Last year was the worst on record for cyberattacks, with some 7 billion data files exposed and nearly 160,000 cyber incidents, according to the Online Trust Alliance, a nonprofit group focusing on Internet Security.
“Unfortunately, even this estimate likely significantly understates the real number,” the alliance stated in a report earlier this year. “Since most incidents are not reported to executives, law enforcement, regulators or the public, the actual number of harmful incidents could easily exceed 350,000.”
Industry experts fear that the retirement fund industry -- like most financial institutions and global corporations -- is ill prepared to defend itself and its clients’ nest eggs.
“There’s no minimal foundation for best practices” in ERISA for retirement plans, adds John Gomez, CEO of Sensato, a cybersecurity firm.
A widespread attack could be catastrophic given the massive store of wealth held in retirement accounts. 401(k)-type plans now hold about $8 trillion while Individual Retirement Accounts tally more than $9 trillion in personal wealth.
The are several layers to a 401(k)-type plan, which means cyberthieves have many points of attack. The bottom layer is the plan sponsor, or employer, which collects contributions through payroll plan deductions.
Retirement savings are typically moved through a chain by payroll companies, custodians and third-party administrators, or TPAs, which act as middlemen between employers and money managers. Ultimately, contributions are deposited and invested by large mutual fund companies such as Fidelity and Vanguard, among hundreds of other asset managers.
It’s unclear how or if the federal government is tracking or preventing cyber intrusions to retirement plans.
Although the FBI’s Internet Claim Complaint Center has cited some 4 million cyber-related abuses of all types, it did not note any specific attacks on retirement plan data or plans in its most recent annual report.
The U.S. Department of Labor’s Employee Benefits Security Administration, the government branch responsible for retirement plan supervision, also has not published any information on cyberattacks.
What can individuals do to protect their retirement savings? Callan, the investment consultant, recommends posing pointed questions to your plan administrator or human resources department about security precautions, notification procedures and remediation, among other issues.
There is widespread agreement that retirement plans are vulnerable. Yet Patricia Moran, an attorney in Boston, wrote last February on the website of the Society for Human Resource Management: “For most companies, 401(k) plan cybersecurity is not a priority.”