Cybersecurity Risks to 401(k) — How to Protect Your Retirement

March 23, 2021

We want to help you make more informed decisions. Some links on this page — clearly marked — may take you to a partner website and may result in us earning a referral commission. For more information, see How We Make Money.

The bad news: Millions of Americans’ retirement accounts face grave cybersecurity risks. 

The good news: There are some simple things you can do today to enhance the safety of your investments.

More than 100 million people use employer-provided retirement plans, which hold more than $6 trillion in assets, according to a recent report by the U.S. Government Accountability Office (GAO). The report sounds the alarm on major cybersecurity risks these investors — and their money — are exposed to.

We talked to Nick Marinos, a cybersecurity expert and director with the GAO, who helped us understand what Americans should know about his agency’s findings, and what can be done to take security into your own hands.

What Should You Know About Retirement Account Cybersecurity Risks?

You face cybersecurity risks any time you do business online. But with an average balance of $95,600, the stakes take on new meaning when it comes to retirement accounts. 

A fraudulent credit card charge or data hack can be a big hassle. A loss of your investments to theft can wreck your retirement. The GAO report found one instance where a retirement plan participant had $245,000 stolen from their account after a cyberthief obtained personal information, including the last four digits of their Social Security number and date of birth.

Something else that’s unique about retirement accounts is how infrequently most people check them, Marinos says. You are probably more likely to check your checking or credit card account on a regular basis than you are your 401(k).

“As a result, if some sort of nefarious activity were taking place, it may take longer for it to be detected,” Marinos says. 

What You Can Do to Protect Your Data and Investments

Back to the good news: There are some immediate and simple things you can do to protect your retirement accounts. 

While common retirement investing advice calls for not sweating the daily ups and downs of your accounts, that doesn’t mean you should go weeks or months without checking them. Make a habit to check on your financial accounts at least every month, so you notice anything suspicious sooner than later, Marinos says. Consider checking on your retirement accounts every month when you pay your bills as a way to build this into your routine.

These risks apply broadly across the financial services industry, so it isn’t as simple as using one investing platform over another, Marinos says. Companies are increasingly susceptible to attacks, he says, and your best bet is to follow the cybersecurity fundamentals:

  1. Use stronger account authentication: Enact 2-factor authentication whenever possible, which requires you to both enter your username and password, and then confirm it is actually you seeking to access the account, commonly via text, phone call, or mobile app.
  2. Use stronger passwords: The longer and more complex the better. Don’t use a common password across multiple accounts. Password managers can be a good way to save and store multiple strong passwords. 
  3. Be mindful of how you access your accounts: Whether you use a smartphone, laptop, desktop, or other device, make sure you are up to date with system updates and security software. Don’t access your retirement or bank accounts on public computers.
  4. Be skeptical, and trust your instinct: If an email or phone call looks or seems suspicious, assume it is. Don’t respond to a suspicious email that appears to be from your plan administrator. Instead, call them directly to confirm whether the email is legitimate.
  5. Be mindful of what you share online: The more personal information you share online, the more likely that information can be used in attempts to gain access to your accounts.

For more information about cybersecurity risks and things you can do to protect yourself, the U.S. Cybersecurity & Infrastructure Security Agency hosts a website full of tips and information.

What Should the Government Be Doing About It?

The GAO has included cybersecurity on its list of the highest risk areas to the federal government in the nation for nearly 25 years, Marinos says. “The urgency is getting even more dire for the federal government to take action.”

As for what that action should be, the GAO report includes two key recommendations: 

  1. The Department of Labor (DOL) should formally define whether or not it is the responsibility of platforms administering 401(k) and similar defined contribution accounts to mitigate these cybersecurity risks.
  2. The DOL should create and issue guidance that defines minimum expectations for mitigating these cybersecurity risks, to be followed by companies offering these plans.

This lack of clarity on cybersecurity standards across the different companies that have access to people’s retirement accounts — from the plan administrators to your employer for 401(k) accounts — is a common theme in the report. “The bottom line of our report ended up being that there needs to be better clarity as to what are the responsibilities of entities that have access to our personal information,” Marinos says.

Without that, attackers will look for the most vulnerable companies, with the risks passed on to retirement investors who use them.