If you have been watching or listening to the news lately, you know the world can be a scary place. The U.S. Government has asked all businesses and individuals to take online security seriously and place an increased emphasis on cybersecurity especially given the current security concerns and potential attacks against U.S. businesses and infrastructure. You may think that doesn’t impact you and your 401(k) plan but as we will review in this blog post, 401(k) plans can be easy targets with a lot of money involved. For fraudsters, as well as those seeking action against the U.S., these accounts provide an opportunity.
As the Plan Administrator for a 401(k) Plan, you are a named fiduciary to the Plan. This designation carries with it specific responsibilities with respect to the participants in the Plan. One of the primary duties of the fiduciary is to ensure that the participants are treated fairly and that their accounts are safeguarded from any fraudulent or negligent activity. We know that fraudsters can find openings in the best of security profiles but studying a recent case may help you to understand how a simple control issue prompted a significant loss for one participant from a fairly large 401(k) account.
In a recent lawsuit involving a participant in the 401(k) Plan for Estee Lauder, the participant alleges that funds from their account were disbursed without their knowledge or approval to bank accounts which are not owned or controlled by the participant. According to the participant, $99,000 was disbursed from their account. The TPA/recordkeeper, custodian, Estee Lauder, Inc. and the named Plan fiduciaries are all parties to the lawsuit. The suit was filed October 9, 2019, in a U.S. District court in San Francisco. The lawsuit alleges that the defendants failed to “establish distribution processes to safeguard the Lauder plan assets against unauthorized withdrawals” and “failing to identify and halt suspicious distribution requests”. This risk isn’t limited to large plans or plans with well-known names. Smaller plans face cybersecurity risks just as often as larger ones. Unfortunately, losses incurred for smaller plans can be more difficult to absorb. Fraudsters have become very good at impersonating participants to trick employers and plan service providers into disbursing funds to them believing they are legitimate transactions. If no monitoring, review or approval controls are in place, the fraud is not realized until it is too late, and the money cannot be recovered.
Cybersecurity is a real threat to your Plan. Controls to help combat potential attacks include:
- regular monitoring of Plan activity,
- reviewing distribution requests prior to processing,
- review of controls at the service providers especially with regard to access controls and physical access to data,
- reviewing your fidelity bond and other insurance coverage over plan assets to ensure in the event of a loss, the funds can be reimbursed to the plan impacted participants, and
- physical custody and safeguarding of confidential data such as employee names, addresses, Social Security numbers, account numbers and e-mail addresses.
While no controls can full prevent a cybersecurity attack, controls such as those noted above can help protect your Plan and the assets it holds. While we understand everyone has a full plate these days, we encourage you to review the controls around the security of data in your 401(k) Plan and continue to ensure monitoring work is carried out on a regular basis. Most large carriers can provide something called a Service Organization Controls (SOC) report covering the controls in place at the organization. Often, an auditor is hired to review and test the effectiveness of these controls. This work is described in the report. Reviewing this report will help you to understand the controls in place over the data and assets contained in your plan and provide information about any concerns the auditor had around the functioning ability of these controls. If any issues are identified, make sure you follow up with your service provider to ensure no control deficiencies could impact your plan participants.
If you would like to discuss Summit CPA Group’s audit process in more detail or need an audit for the first time, give me a call at (866) 497-9761. We’re here to help you navigate the world of the 401(k) audit as proficiently as possible.