With trillions of dollars in assets to safeguard, the retirement services industry is intensely focused on the issue of cybersecurity, with Congress, recordkeepers and regulatory agencies all getting in on the act:
- On February 12, 2019, Sen. Patty Murray (D.-Wash.) and Rep. Bobby Scott (D.-Va.) sent a letter to the U.S. Government Accountability Office (GAO), asking the organization to “examine the cybersecurity of the private retirement system.”
- In December 2017, the SPARK Institute’s Data Security Oversight Board (DSOB) identified 16 security control objectives, providing a cybersecurity best-practices framework for 401k recordkeepers.
- In November 2016, the ERISA Advisory Council report Cybersecurity Considerations for Benefit Plans provided plan sponsors and fiduciaries with tips to minimize risks associated with retirement benefit services providers.
Despite the intense focus, a fundamental element has been overlooked in the industry’s drive to secure retirement assets: auto portability. Driven by the simple-but-powerful principle of consolidation, auto portability can lower retirement savings cybersecurity risks by:
- Reducing the cyber-threat attack surface
- Minimizing fraud-prone, small-balance retirement savings accounts
- Securely moving retirement savings forward
Reducing cyber-threat ‘attack surface’
A cyber “attack surface” is the sum of the different points, or attack vectors, that a cyber-intruder can attempt to leverage to compromise security. Since a larger attack surface presents an attacker with more opportunities to exploit, shrinking the surface’s size is an important goal.
Following this principle, participants with multiple, legacy 401k retirement savings accounts housed on multiple 401k recordkeeping platforms present a larger attack surface than individuals who have consolidated their retirement savings accounts.
Auto portability, via consolidation, significantly reduces the odds of exposure for millions of 401k participants. According to the Auto Portability Simulation, widespread adoption of auto portability would result in 135 million participants consolidating their retirement savings over a generation, vs. only 9 million participants without the feature.
Minimizing fraud-prone, small-balance retirement savings accounts
Loss prevention experts warn us that “fraud starts small.” This concept clearly applies to small-balance retirement savings accounts, which can offer cyber-thieves more-tempting targets, as system controls and monitoring may be lax, and represent lower priorities.
For 401k plan sponsors and recordkeepers, reducing the number of small-balance accounts becomes vital to avoid becoming a breeding ground for low-level cyber-fraud, which can inevitably lead to bigger problems. Auto portability, through consolidation, can reliably achieve this outcome.
Securely moving retirement savings forward
When participants strand 401k savings accounts, the likelihood of becoming a victim of cybercrime increases over time.
By contrast, auto portability relies upon highly-secured, transient data exchanges to ensure that these accounts are moved forward quickly, safely and securely, employing the following key cybersecurity features:
- All sensitive information is encrypted using Advanced Encryption Standard (AES) 256-bit encryption, an industry standard.
- Social security numbers are never combined with other personally identifiable information (PII) in any file transfer. Thus, there is never enough PII in any data transmission for a hacker to steal an identity.
- Any file with personal information never includes the identity of either the plan sponsor or the recordkeeper, further thwarting a hacker from accessing an individual participant’s retirement account.
- Each participating service provider has its own, dedicated and secure channel for transmitting participant data.
Auto portability: A crucial element in retirement cybersecurity
With each new sensational data breach, we’re reminded that it’s better to be safe than sorry. By adopting auto portability, America’s 401k system—including participants, plan sponsors and service providers—can help mitigate cybersecurity threats through the power of consolidation.
Tom Hawkins is Senior Vice President, Marketing and Research with Retirement Clearinghouse, and oversees all key operational aspects of this area, including RCH’s web presence, digital marketing and plan sponsor proposals. In other roles for RCH, Hawkins has performed product development, helped lead the company’s re-branding, evaluated and organized industry data and makes significant contributions to RCH thought leadership positions.