You probably know that savings accounts up to $250,000 are protected by the federal government. And you’re probably aware that if someone uses your credit card, you’re liable for only the first $50 they spend.
But—and as if there aren’t enough things to worry about these days—the $20.6 trillion that Americans hold in 401(k) and 401(k)-like accounts generally come with no similar guarantees of safety. And cyber theft of these assets is on the rise.
The federal government’s Government Accountability Office (GAO) asked the Labor Department Monday to tighten rules that protect both your money and personal information like Social Security, date of birth and investment account numbers. The Labor Department regulates 401(k) and other popular retirement plans.
Cyber thieves always seem to be a step ahead of the good guys, and the GAO said that until better technical and legal protections for investors are put in place, “participants’ data and assets will remain at risk.” The GAO report called it “imperative that industry and government prevention and mitigation efforts evolve to keep pace with these threats.”
The retirement industry tries to keep such thefts hush-hush. The Wall Street Journal notes that little data is available on the scale of the problem, but it noted recent court cases involving alleged theft and lawsuits filed by account holders seeking reimbursement of their assets.
Alarmingly, the GAO report alleges that in some cases, thefts have been inside jobs, with perpetrators employed by 401(k) plan sponsors.
“Cyber theft from retirement accounts is a growing concern,” Steve Silberstein, chief executive officer of the Financial Services Information Sharing and Analysis Center (FS-ISAC), which combats cyber fraud in the finance industry, tells me via email.
“In the U.S., people tend to hold a substantial amount of their wealth in a retirement account so they are relatively high-value targets. Customers often re-use the same passwords for different accounts, which increases the likelihood of their credentials being available for sale on the dark web.”
Silberstein mentions another all-too common problem. “Smaller record-keepers and third party clients may not have a high level of sophistication when it comes to cybersecurity, especially when battling criminals who constantly evolve their tactics.”
Some people automatically rail against government regulations, but here’s an example of how too little or outdated regulations can her costly. There are generally no protections surrounding 401(k) and similar retirement accounts because the so-called federal Employee Retirement Income Security Act which governs such plans was passed—get this—in 1974. Regulatory updates since have been insufficient, and this has placed worker and retiree assets at greater risk.
“Americans who plan and save for retirement should be able to count on the security of their savings, but a cyberattack can put that all in jeopardy in the blink of an eye,” said New Hampshire Senator Maggie Hassan in a statement. “This GAO report makes clear just how important it is to strengthen cybersecurity for retirement plans. I look forward to working with my colleagues on both sides of the aisle to follow through on the report’s recommendations by modernizing cybersecurity requirements for those who administer retirement plans.”
The GAO report recommends that the Department of Labor make clear whether fiduciaries—big asset managers who manage these trillions in assets—are responsible for cybersecurity, and whether clients are aware of the potential risk of cyber theft.
Until stronger laws and technology catches up, what can you do to protect yourself? FS-ISAC’s Silberstein, offers these common sense tips:
• Look carefully at emails trying to get your personal information; phishing emails will often have wrong phone numbers or bad links. If in doubt, delete.
• Don’t download banking applications found on open forums. Go to the institution’s website and use the link to the appropriate app store from there.
• Set up multifactor authentication (MFA) as well as unique usernames and passwords on all accounts: email, personal and professional social media, bank, retirement, and investment accounts, healthcare accounts, insurance accounts, etc.
• Install updates on your computer, devices and apps regularly.
• Provide updated contact information to the retirement account and utilize options to be notified when funds are being moved out of accounts in real time.
• Monitor accounts at least once a month to see any unwanted activity.
• Know how to contact the institution in case of suspected attempted fraud. If you receive a suspicious text message, report it.