FiduciaryNews

Hosting an industry conference? Ask us about including it in this ticker?
What do you think of our site upgrade?

How Can 401k Plan Sponsors Better Shield 401k Participants From External Fraud?

How Can 401k Plan Sponsors Better Shield 401k Participants From External Fraud?
April 28
00:03 2020

Willie Sutton never quite said he robbed banks because that’s where the money is. Someone else said he said it. When he heard about the misquote, he liked it so much he adopted it as if it were his own. Or so goes one of the stories about the infamous bank robber.

In today’s world, the money isn’t in the banks. It’s in retirement plans. And smart thieves don’t crack safes or use dynamite. They steal identities and use the internet. Sometimes they do this without the knowledge of the victim. Sometimes victims hand them the keys to their account directly.

And in our current stay-safe-at-home policies, victims are making it easier for criminals. We have never seen retirement accounts more at risk today than ever before.

The good news is that these acts are rarely if ever perpetuated by retirement plan sponsors.

“As a forensic accountant and Certified Fraud Examiner, I have investigated hundreds of allegations of financial fraud,” says Juliette Gust, Founder and President at Ethics Suite in Scottsdale, Arizona. “However, none of these have involved a breach of trust or act of deception on the part of a fiduciary. Generally, the fraudsters I have investigated were either trusted employees of an organization, the victim’s friend or family member, or an external/third party who gained the trust of the victim to solicit the information needed to commit the fraud.”

But plan sponsors – or, more specifically, the companies plan participants work for – may be placing employees in a far greater cyber-vulnerable position than they realize.

“Teleworking – while necessary for organizations to continuing running as smoothly as possible with stay-at-home orders in place – brings innate cybersecurity risks to both the company and the employee,” says Paige Schaffer, CEO at Global Identity & Cyber Protection Services of Generali Global Assistance in Washington, D.C.

It’s not that the plan sponsors are lax. It’s that their employees may be.

“Many companies rely on password protected networks with carefully monitored firewalls and other cybersecurity tools,” says Robert A. Stern, an Attorney in Clark Hill’s Chicago, Illinois office. “When employee’s shift to their home network they could be accessing company or client confidential information from an unsecured network or a network lacking the same security protocols that their office network provides.

It’s also not just the home WIFI network, either. Employees using home-based machines often don’t have the same protection of those they use in the office.

“Many employees use company-controlled devices at work where companies control what anti-virus software is installed, what sites employees can navigate to, and what other anti-spam or similar tools are in place,” Says Stern. “When employees are asked to work remotely, they may be forced to use a personal device, which likely doesn’t contain the same security controls that are in place on a company issued device.”

The bottom-line: employee need to act in their own best interests. “Much of the onus for maintaining cyber-hygiene lies on the remote employee and therefore user awareness and cyber-hygiene takes on an even more critical importance to any organization during periods such as now, with large numbers of employees working from home,” says Carl Wearn, Head of E-crime at Mimecast in London, England. “Having agreed and known procedures for the verifying of communications such as telephone verification and detailed authorization processes is also likely to reduce the risk of fraud.”

But that doesn’t leave plan sponsors off the hook. Stern says, “Plan sponsors should be taking additional steps to confirm any and all financial requests coming from Clients. First, make sure it’s coming from the Client’s proper email account. Scroll over the name of the client to see the true email domain. Second, carefully review any forms or financial information provided in support of a request. And third, always call a known phone number and verify requests verbally. E-mails can be easily manipulated.

“…A VITAL REFERENCE TOOL

FOR YEARS TO COME.”

401(K) FIDUCIARY SOLUTIONS ADDRESSES THE FIVE KEY AREAS OF FIDUCIARY LIABILITY FACING 401K PLAN SPONSORS ON A DAILY BASIS.  IN ADDITION, 401(K) FIDUCIARY SOLUTIONS FEATURES SEVERAL CHECKLISTS 401K PLAN SPONSORS CAN USE TO HELP ENSURE THEIR PLAN IS THE BEST IT CAN BE.

WOULD YOU LIKE TO DISCOVER THE COLLECTED WISDOM OF DOZENS OF INDUSTRY EXPERTS AND THOUGHT LEADERS? CLICK HERE AND BUY YOUR COPY OF 401(K) FIDUCIARY SOLUTIONS TODAY!

 

Just because workers aren’t coming into the office doesn’t mean the plan sponsor shouldn’t continue best practices when it comes to cybersecurity. Gust says they must “ensure all fraud, privacy, and data security protocols continue to be functioning and monitored regardless of any decrease in onsite resources. Although remote work requirements have been a significant challenge for many businesses, risk management and compliance efforts must be maintained to mitigate the risk of fraud, potential litigation, and reputational damage caused as a result of a data breach.”

In addition, plan sponsors need to increase their sensitivity when it comes to using emails. They can’t (and shouldn’t) unnecessarily restrict the use of this efficient communications tool, but they do need to be more aware of its potential weakness.

“Because business email compromise (BEC) is a prominent attack vector,” says Wearn, “we strongly advise that customers to review their policies and practices on cybersecurity – including increasing awareness training on the most common attack campaigns, and encouraging your team to create unique passwords and to enable two-factor authentication wherever possible.

Finally, just as plan sponsors have adopted an employee education policy for investing in their 401k plans, so might they develop similar tactics when it comes to teaching participants how to better protect their retirement assets.

“While we hope that organizations have proactively reached out to their employees to provide educational resources and/or training for safe teleworking, there are plenty of precautions individuals can (and should!) take to reduce their risk,” says Schaffer. “Make sure you’re connecting to secure, password-protected home Wi-Fi, which will help keep criminals from infiltrating your network. Also make sure you’re using unique and strong passwords for all your accounts and enable two-step verification when possible. Lastly, while it’s tempting to use your personal devices for work, stick to what was issued to you by your company and make sure you’re keeping your firewall and antivirus software up to date.”

With a little more discipline on the part of both employees and plan sponsors, the world could get a lot tougher for cyber criminals.

Christopher Carosa is a keynote speaker, journalist, and the author of  401(k) Fiduciary Solutions Hey! What’s My Number? How to Improve the Odds You Will Retire in ComfortFrom Cradle to Retirement: The Child IRA, and several other books on innovative retirement solutions, practical business tips, and the history of the wonderful Western New York region. Follow him on Twitter, Facebook, and LinkedIn.

Mr. Carosa is available for keynote speaking engagements, especially in venues located in the Northeast, MidAtantic and Midwestern regions of the United States and in the Toronto region of Canada.

About Author

Christopher Carosa, CTFA

Christopher Carosa, CTFA

0 Comments

No Comments Yet!

There are no comments at the moment, do you want to add one?

Write a comment

Only registered users can comment. Login

FiduciaryNews.com is sponsored by…

Vote in our Poll

Disclaimer

The materials at this web site are maintained for the sole purpose of providing general information about fiduciary law, tax accounting and investments and do not under any circumstances constitute legal, accounting or investment advice. You should not act or refrain from acting based on these materials without first obtaining the advice of an appropriate professional. Please carefully read the terms and conditions for using this site. This website contains links to third-party websites. We are not responsible for, and make no representations or endorsements with respect to, third-party websites, or with respect to any information, products or services that may be provided by or through such websites.