Join our Community

Got Hacked?

By Jack Towarnicky

Can you answer that question? Are you watching the news?1 Note that the cybersecurity threats to your retirement savings plan have shifted and mutated. In the past, plan sponsors and service providers focused on data breaches, but that’s too late! All those breaches mean your participants’ retirement plan data is out there and available to be exploited. More and more, the industry is suffering from cyber fraud where hackers take over participant accounts.

So, if you can’t answer that question, pick up the phone and give your service provider a call. Today, now! What you don’t know can hurt!

PSCA National Conference Session on Cybersecurity
Whether or not you can answer that question today, be sure to attend PSCA’s 2019 National Conference session on Cybersecurity - Best Practices in Providing Cybersecurity:

Increasingly, your employee benefit plans face significant cybersecurity threats and, considering the significant amount of assets involved, the consequences of even a single attack can be devastating. This session will describe the latest security standards, recent administrative guidance, and the latest product offerings designed to address these risks.
Presented by: Joe Adams, Partner, Winston & Strawn Amy Gordon, Partner, Winston & Strawn Tim Rouse, Executive Director, SPARKInstitute

How is the risk changing? Because of the enormous amount of assets involved – these can be seismic events – looking at the 5500 data you can see what an attractive target retirement plan assets are to would-be robbers2:

401(k), 403(b), 457(b) and other individual account plans are only one part of the story. We now have approximately $27 Trillion in assets in various forms of retirement plans – pensions, 401(k), IRA, HSAs, and others – with over 200 million accounts!

And, keep in mind that more and more participants are leaving assets in their 401(k) plans. In fact, our 61st Annual Survey confirms that 80 percent of plans allow workers to retain assets in the plan after separation. Further, one in five employers actively encourages individuals to leave money in the plan after separation. Those aren’t twenty-something computer–literate, smart phone–savvy, technologically sophisticated workers … we’re talking about the grey-haired Baby Boomer generation retirees like me.3

Who’s Watching The Retirement Vault?
You better be. Others have taken a look at this in the past.4 But, it has been more than seven years since the report. Other government officials are looking into this right now.5 Can you afford to wait any longer for guidance?

Act Now!
After you’ve called your service provider, and after you’ve registered for PSCA’s 2019 National Conference, you may want to take a look at the Spark Institute’s white paper.6

Read up, so you can be sure that you will get the maximum value out of this session. The session will help you evaluate and measure a record keeper's cyber security capabilities.

Myself, I expect there will be sufficient tools, techniques, and takeaways from just this one session that may justify, all by itself, a plan sponsor’s attendance at the 2019 PSCA National Conference.

Be prepared. See you in Tampa, FL.

1 T. Armerding, The 18 biggest data breaches of the 21st century: Security practitioners weigh in on the 18 worst data breaches in recent memory, 12/20/18. 1. Yahoo, 3 billion user accounts; 2. Marriott, 500 million customers; 3. Adult Friend Finder, 412 million accounts, 4. eBay, 145 million users; 5. Equifax, 143+ million consumers; 6. Heartland Payment Systems, 134 million credit card holders; 7. Target Stores, 110 million credit/debit card holders; 8. TJX Companies, Inc., 94 million credit card holders; 9. Uber, 57 million users, 600,000 drivers; 10. JP Morgan Chase, 76 million households, 7 million small businesses. Also: US Office of Personnel Management (OPM), Sony's PlayStation Network, Anthem, RSA Security, Stuxnet, VeriSign, Home Depot, Adobe. Accessed 3/8/19 at: See also: S. Max, Your 401(k) Might Be a Target for Hackers, Barrons, 12/2/18. Suggests that some service providers have been fooled into thinking the individual committing identity theft/fraud was participant. Accessed 3/8/19 at:, See also: D. Hilton, Your 401(k) Accounts Could Be Hacked, 10/3/17. Suggests that once a participant is aware that her information has been hacked (Equifax, etc.) she should check her 401(k) accounts, change passwords, etc. Accessed 3/8/19 at:
2Employee Benefits Security Administration, U.S. Department of Labor, Private Pension Plan Bulletin Historical Tables and Graphs 1975-2016, December 2018, Accessed 3/8/19 at:
3K. Skiba, Attorney General Says 225 Charged in Elder Fraud Sweep. Justice Department says over 2 million older Americans were scammed out of more than $750 million, AARP, 3/7/19, Accessed 3/8/19 at:
4ERISA Advisory Council, Privacy and Security Issues Affecting Employee Benefit Plans, November 2011, Accessed 3/8/19 at: ; See also: SOA, A Conversation on Dementia and Cognitive Decline, December 2018, Accessed 3/8/19 at:
5Senator Patty Murray (D-WA) and Congressman Bobby Scott (D-VA) Request Oversight of Cybersecurity in the Retirement System, 2/13/19, Accessed 3/8/19 at: and
6Spark Institute, Data Security Reporting, Release 1.0, September 20, 2017, Accessed 3/8/19 at:

comments powered by Disqus