EBNBy Spencer Williams | April 8, 2019

All companies that manage personal consumer data, regardless of where they are based or what industry they are part of, are right to be concerned about cybersecurity. The scope and scale of cyberattacks continue to increase around the world, as last year’s breach compromising 50 million Facebook users demonstrated.

The U.S. retirement system is not immune to the threat. In fact, it is a tempting target for cybercriminals, and lawmakers are keen to protect defined contribution plan participants’ personal data. In a recent example, on February 12, 2019, Sen. Patty Murray (D.-Wash.) and Rep. Bobby Scott (D.-Va.) sent a letter to Gene Dodaro, Comptroller General of the U.S. Government Accountability Office, asking the organization to “examine the cybersecurity of the private retirement system.”

Fortunately for plan sponsors, record-keepers, and other parties in the retirement services industry, the same solution designed to address the multiple problems stemming from the upsurge in small, stranded 401(k) accounts—auto portability—can also augment existing practices that protect plan participants’ personal data.

Auto portability is the routine, standardized, and automated movement of a retirement plan participant’s 401(k) savings account from their former employer’s plan to an active account in their current employer’s plan. This solution is underpinned by paired “locate” and “match” algorithms which work together to 1) locate participants with multiple 401(k) plan accounts, 2) confirm their identities, 3) obtain their consent for beginning the process of rolling their stranded accounts—which are either still in former-employer plans or have been automatically rolled into safe-harbor IRAs—into active accounts in their current employers’ plans, and 4) effect account consolidation by implementing a roll-in to the participant’s current employer plan.

The act of consolidating accounts reduces the number of small accounts in the 401(k) system via auto portability, making plan participant data more secure. Consolidating a participant’s multiple 401(k) accounts reduces the number of systems with that participant’s data, and also encourages participants, sponsors, and record-keepers to become more engaged when it comes to keeping track of accounts.

Auto Portability Meets Cybersecurity Best Practices

While there is currently no central legal framework regulating cybersecurity in the retirement services industry, the SPARK Institute published a compilation of recommended cybersecurity best practices for retirement plan record-keepers in 2017.

Auto portability, which went live that same year, operates in conformance to the SPARK Institute’s cybersecurity recommendations.

For example, the SPARK Institute’s compilation of 16 security control objectives includes the practice of encryption, which requires protection of both “data-in-motion and data at rest” and goes one step further by suggesting that the same data protection risk management standards be applied to suppliers. The below proof points illustrate how the auto portability solution we developed addresses these areas of cybersecurity:

  • All sensitive information stored for auto portability is encrypted using Advanced Encryption Standard (AES) 256-bit encryption, an industry standard for encrypting electronic data developed by the National Institute of Standards and Technology. At present, there is no known type of cyberattack that would allow a hacker to read AES-encrypted data without knowledge of the cryptographic key.
  • During the locate-and-match process described above, a social security number is never combined with other personally identifiable information (PII) in any single file transfer. The objective is to ensure there is never enough PII in any single data transmission for a hacker to use to steal an identity. In addition, any file with personal information never includes the identity of either the plan sponsor or the recordkeeper, further thwarting a hacker from accessing an individual participant’s retirement account.
  • Auto portability supports multiple methods of exchanging secure data.
  • Each participating service provider has its own secure channel for transmitting participant data.
  • Any potential matches flagged during the locate-and-match process which don’t adhere to certain criteria require additional verification in order to confirm the identity.
  • Full address-location searches are conducted to ensure the correct participant is found and properly matched to multiple accounts.

When participants strand 401(k) savings accounts in former-employer plans, and nothing is done to transport them to active accounts in their present employers’ plans, the likelihood of becoming a victim of cybercrime increases. Plan sponsors can protect themselves and their participants from hackers—and, simultaneously, strengthen their overall cybersecurity preparedness—by implementing auto portability to proactively reduce small accounts and lost/missing participants.

Back