As the Plan Administrator or Trustee for a 401(k) Plan, you have a fiduciary responsibility to the Plan and its participants. This includes ensuring that their accounts are safeguarded by putting in place internal controls both within your company and at the service providers used to administer the Plan. This has always been the case. However, with the COVID-19 Pandemic and more virtual workers, it is a good time to review those controls to ensure they are adequate. Fraudsters are always looking to take advantage of any opportunity to use weak access controls to their advantage.
Recently, a participant in the Abbott Laboratories 401(k) Plan, filed a lawsuit alleging the company and other parties including the Plan record-keeper did not maintain adequate security over the participant accounts which allowed a fraudster to take $245,000 from the participant’s 401(k) account. The suit alleges that the fraudster called the record-keeper and provided only the participant online account user name, last four digits of their Social Security number and date of birth. The record-keeper then reset the password and the fraudster was able to request a false distribution. The fraudster changed the bank account information online to ensure they received the distribution. This is just one example of the means used to access participant funds illegally.
We recommend strong access controls for all Plan, such as:
- Ensure password requirements are strong. Systems should require passwords of 10-12 digits minimum with letter, numbers, capitalized letters and special characters required. The system should require password changes regularly.
- Verify both your providers and your company provide security training to employees and Plan participants. This training needs to cover the various cyber-security methods currently being used and ways to recognize them.
- Discuss the access security controls used by your record-keeper to verify a participants’ identity. They should use security phrases and/or two-factor authentication for this purpose.
- When a distribution or loan is taken against a participant account, ensure you as Plan Sponsor are given a chance to review the transaction before the funds are disbursed. Look for address changes made or bank account changes as part of the transaction. Consider verifying directly with the participant that they have actually requested the transaction. Discuss if the service provider gives the participant a confirmation of the transaction. Does this occur before the funds are disbursed or after (obviously to catch the criminal it needs to be received before the transaction is completed).
- Most large service providers have their processes and internal controls verified annually by a public accountant via a document called a SOC Report. You can request a copy of the most recent report and review the controls included in this report. You can also discuss the controls with your 401(k) auditor to ensure you understand them. Conduct a risk assessment based on this review to identify potential weaknesses that may require action.
- Review your fiduciary, fidelity bond, and insurance coverage over the Plan. No controls are perfect and you may experience a cyber-security breach. Ensure the coverage is adequate to reimburse you for losses in the event of an attack against the Plan.
Now is a good time to review your access security policies and procedures are given your employees (and plan participants) may be working from home on personal equipment without the built in security measures usually in place within an office setting or on company equipment. A bit of time spent on this issue now can save you a load of future headaches in the event of a cyber-security attack.
Do you need an audit for your 401(k) Plan? Consider a specialized firm like Summit CPA Group. We can provide a quality benefit plan audit that is efficient and accurate. If you would like to discuss Summit CPA Group’s audit process in more detail contact our office at (866) 497-9761. We also offer flat-fee pricing so there are no surprises on your bill when the job is complete.