As the Plan Administrator for your 401(k) plan, you have access to sensitive personal information concerning your Company, the 401(k) plan, and most importantly the participants in the plan. This information would be very valuable to hacker, fraudsters and others that could use this critical information for nefarious purposes. As each 401(k) Plan requires filing of a Form 5500 which becomes public information on the Department of Labor EFAST website, we recommend you be very careful with requests for information regarding your 401(k) plan. The filing includes an individual name and phone number at your company, so it makes it easy for those wanting to gain information about your plan easy access.
We recommend you take the following approaches to ensure the data is safeguarded:
- Periodically review the individuals with access to plan data. Ensure when personnel changes are made that the access is modified accordingly. Review password standards with all employees with access to plan data and ensure the passwords are periodically changed. Do not grant access to anyone that does not have a business need to view the data. Remember that even the ability to view the data poses a risk.
- Ensure your staff understand that no employee or participant information can be shared via unsecured e-mail. If any reports need to be provided with participant names, social security numbers, etc. included they must be shared directly on a secured portal, via an encryption tool or other secured mechanism. Sending sensitive personal data via e-mail is extremely risky for your organization.
- Be careful not to click on any links coming to your e-mail or respond to someone via e-mail, unless it comes directly from your assigned representative at the service providers (payroll, 401(k) TPA or record-keeper) that you use. The fraudsters have become very clever at mimicking the large providers used and it is difficult to tell a legitimate e-mail request from a fraudulent one. Never share confidential information using e-mail to avoid problems.
- Lastly, you will receive calls from sales folks and others wanting to work with you on aspects of your 401(k) maintenance and administration. Be careful not to share information with these callers until you have verified their identity and you decide to establish a formal relationship with their organization. This is another way that fraudsters can work to gain information about your plan.
It is critical to ensure the protection over the data in your 401(k) plan and your participants are counting on you to ensure the confidential information that they have shared remains private. Please review the above steps to help maintain the security for your plan and the vital information contained within the plan records.
If you would like to discuss Summit CPA Group’s audit process in more detail, or need an audit for the first time, contact our office at (866) 497-9761. We’re here to help you navigate the world of the 401(k) audit as proficient as possible. We also offer flat-fee pricing so there are no surprises on your bill when the job is complete. For assistance contact our office at (866) 497-9761 to schedule an appointment.