We want to help you make more informed decisions. Some links on this page — clearly marked — may take you to a partner website and may result in us earning a referral commission. For more information, see How We Make Money.
The bad news: Millions of Americans’ retirement accounts face grave cybersecurity risks.
The good news: There are some simple things you can do today to enhance the safety of your investments.
More than 100 million people use employer-provided retirement plans, which hold more than $6 trillion in assets, according to a recent report by the U.S. Government Accountability Office (GAO). The report sounds the alarm on major cybersecurity risks these investors — and their money — are exposed to.
We talked to Nick Marinos, a cybersecurity expert and director with the GAO, who helped us understand what Americans should know about his agency’s findings, and what can be done to take security into your own hands.
You face cybersecurity risks any time you do business online. But with an average balance of $95,600, the stakes take on new meaning when it comes to retirement accounts.
A fraudulent credit card charge or data hack can be a big hassle. A loss of your investments to theft can wreck your retirement. The GAO report found one instance where a retirement plan participant had $245,000 stolen from their account after a cyberthief obtained personal information, including the last four digits of their Social Security number and date of birth.
Something else that’s unique about retirement accounts is how infrequently most people check them, Marinos says. You are probably more likely to check your checking or credit card account on a regular basis than you are your 401(k).
“As a result, if some sort of nefarious activity were taking place, it may take longer for it to be detected,” Marinos says.
Back to the good news: There are some immediate and simple things you can do to protect your retirement accounts.
While common retirement investing advice calls for not sweating the daily ups and downs of your accounts, that doesn’t mean you should go weeks or months without checking them. Make a habit to check on your financial accounts at least every month, so you notice anything suspicious sooner than later, Marinos says. Consider checking on your retirement accounts every month when you pay your bills as a way to build this into your routine.
These risks apply broadly across the financial services industry, so it isn’t as simple as using one investing platform over another, Marinos says. Companies are increasingly susceptible to attacks, he says, and your best bet is to follow the cybersecurity fundamentals:
For more information about cybersecurity risks and things you can do to protect yourself, the U.S. Cybersecurity & Infrastructure Security Agency hosts a website full of tips and information.
The GAO has included cybersecurity on its list of the highest risk areas to the federal government in the nation for nearly 25 years, Marinos says. “The urgency is getting even more dire for the federal government to take action.”
As for what that action should be, the GAO report includes two key recommendations:
This lack of clarity on cybersecurity standards across the different companies that have access to people’s retirement accounts — from the plan administrators to your employer for 401(k) accounts — is a common theme in the report. “The bottom line of our report ended up being that there needs to be better clarity as to what are the responsibilities of entities that have access to our personal information,” Marinos says.
Without that, attackers will look for the most vulnerable companies, with the risks passed on to retirement investors who use them.