As all of us work to transition to the new normal in our work lives, many employees may remain working from home on a full-time or part-time basis. You’ve probably worked through the general implications to your work environment, but have you considered any potential impacts to your company 401(k) plan? As the Plan Administrator for a 401(k) plan, you are a named fiduciary to the plan. This designation carries with it specific responsibilities with respect to the participants in the plan.
One of the primary duties of the fiduciary is to ensure that the participants are treated fairly and that their accounts are safeguarded from any fraudulent or negligent activity. For example:
In a recent lawsuit involving a participant in the 401(k) plan for Estee Lauder, the participant alleged that funds from their account were disbursed without their knowledge or approval to bank accounts which are not owned or controlled by the participant. According to the participant, $99,000 was disbursed from their account. The TPA/record-keeper, custodian, Estee Lauder, Inc. and the named plan fiduciaries are all parties to the lawsuit. The suit was filed October 9, 2019, in a U.S. District court in San Francisco.
The lawsuit alleges that the defendants failed to “establish distribution processes to safeguard the Lauder plan assets against unauthorized withdrawals” and “failing to identify and halt suspicious distribution requests”. This risk isn’t limited to large plans or plans with well-known names. Smaller plans face cybersecurity risks just as often as larger ones.
Unfortunately, losses incurred for smaller plans can be more difficult to absorb. Fraudsters have become very good at impersonating participants to trick employers and plan service providers into disbursing funds to them believing they are legitimate transactions. If no monitoring, review or approval controls are in place, the fraud is not realized until it is too late and the money cannot be recovered.
Cybersecurity is a real threat to your plan. Controls to help combat potential attacks include:
- regular monitoring of plan activity,
- reviewing distribution requests prior to processing,
- review of controls at the service providers especially with regard to access controls and physical access to data, and
- physical custody and safeguarding of confidential data such as employee names, addresses, Social Security numbers, account numbers and e-mail addresses.
While no controls can fully prevent a cybersecurity attack, controls such as those noted above can help protect your plan and the assets it holds. While we understand everyone has a full plate these days, we encourage you to review the controls around the security of data in your 401(k) plan and continue to ensure monitoring work is carried out on a regular basis.
At Summit CPA, we know that plan administration can be a huge burden to companies, especially with all the complexities added due to the pandemic. However, don’t let your guard down regarding your 401(k) plan. It is an important responsibility of the plan fiduciaries to ensure compliance at all times. A review of current compliance and administration now will help make things a little less stressful. For more information on how we can help, contact our office at (866) 497-9761.