With $10 trillion in 401k and other defined contribution retirement assets to safeguard, retirement industry regulators are intensely focused on the issue of cybersecurity.
“That level of consolidation activity means that securing personal information is paramount, requiring the application of stringent cybersecurity standards.”
The latest developments signifying regulatory resolve include enforcement actions by the Securities and Exchange Commission (SEC), who in August 2021 sanctioned eight firms in three separate actions for failing to implement cybersecurity policies and procedures, potentially leading to compromised private client data.
The SEC’s actions were preceded in April 2021 by the Department of Labor (DOL), who issued three guidance documents for plan sponsors, plan fiduciaries, recordkeepers and plan participants on best practices for maintaining cybersecurity.
Amid these actions, the retirement industry should expand its cybersecurity focus to actively address another vitally important element: the consolidation of small-balance retirement savings accounts, achieved by improved plan-to-plan portability.
Minimizing fraud-prone, small-balance accounts
A key principle in loss prevention is that “big frauds start small.” In our retirement system, nowhere is this axiom more applicable than for small-balance retirement savings accounts.
In recent years, there’s been a very well-documented explosion of both small-balance 401k accounts and small-balance IRAs, which can present tempting targets, as system controls and monitoring can often be lax.
In cybersecurity terminology, the presence of vast numbers of small, unconsolidated retirement savings accounts scattered across thousands of plans and housed on a myriad of recordkeeper platforms creates a larger cyber “attack surface”—the sum of the different points, or attack vectors, that cyber-intruders can attempt to leverage to compromise security.
That’s where consolidation comes in. Consolidation is, by definition, the combination of two accounts into one, resulting in one fewer retirement savings account. Combining retirement savings accounts translates into a smaller cyber attack surface.
How auto portability promotes retirement cybersecurity
Auto portability, via consolidation, significantly reduces the odds of exposure for millions of 401k participants. Data from the Auto Portability Simulation shows that over 40 years, the adoption of auto portability would result in a net increase of 124.3 million plan-to-plan account consolidations.
That level of consolidation activity means that securing personal information is paramount, requiring the application of stringent cybersecurity standards. To achieve that, auto portability’s cybersecurity has been built to comply with NIST Special Publication 800-171, a security framework that is specifically designed to protect confidential information.
To effect consolidation, auto portability relies upon highly secure, transient data exchanges to ensure that accounts are located, matched, and moved forward quickly, safely, and securely, employing the following key cybersecurity features:
- Social security numbers are not provided with any other personally identifiable information (PII) in data transfers. Thus, there is never enough PII in any data transmission for a hacker to steal an identity.
- Any file containing encrypted personal information never includes the identity of either the plan sponsor or the recordkeeper, further thwarting a hacker from accessing an individual participant’s retirement account.
- Each participating service provider has their own, dedicated, and secure channel for transmitting participant data.
Auto portability stands in stark contrast to other current or proposed policies that do not promote consolidation and do little to improve cybersecurity, including:
- Forcing out small 401(k) balances into dead-end safe harbor IRAs.
- Creating a government-run lost and found to warehouse unclaimed balances.
Consolidation: A vital element for retirement cybersecurity
It’s clear that account consolidation can lower retirement savings cybersecurity risks by minimizing the sheer number of fraud-prone, small-balance retirement savings accounts, and the best path to enabling consolidation—particularly for small balance 401(k) accounts—is via auto portability.
Ricki Ingalls, Ph.D., is RCH’s Executive Vice President and Chief Operating Officer of Retirement Clearinghouse.
Ricki Ingalls, Ph.D., is RCH’s Executive Vice President and Chief Operating Officer of Retirement Clearinghouse.
