Cybersecurity Must Be a Priority for Plan Fiduciaries
Most 401(k) plans have access to a large pool of funds, making them an attractive target for cybertheft. And while stolen funds are devastating, unauthorized transactions aren’t the only goal of cybercriminals. 401(k) accounts contain a plethora of sensitive personal information that can entice hackers interested in perpetrating identity theft and other forms of fraud. Because of these risks, it’s important for fiduciaries to understand cybersecurity and to follow established safety protocols aimed at keeping their plans secure.
Growing Risks for Plans
According to a 2022 survey by Callan, cybersecurity is a top concern for plan sponsors, and nearly a third of sponsors polled stated that they intended to review and audit their plans’ security practices. Their concerns aren’t unfounded. While the exact number of cyberattacks on 401(k) plans is unknown, successful breaches can be highly damaging. For example, one lawsuit alleged that more than $245,000 was stolen from a retirement account over a two-month period.
Multiple Avenues of Attack
Most people know not to share passwords or use public computers to check sensitive information. But even if participants and fiduciaries follow these basic protocols, they might still be at risk. One of the most common forms of cyberattack is phishing, where a cybercriminal sends a fake message that resembles official correspondence and baits the recipient to enter their personal information. But in addition to phishing, hackers could target the plan’s hosting servers directly to gain access.
Some of the concerns about cybersecurity are around the plan assets themselves. As more plans begin to offer cryptocurrency options, some experts worry that this could make 401(k) accounts even more vulnerable – in fact, a 2021 study showed that cyberattacks on cryptocurrency were among the top three types of crime reported to the FBI.
The Department of Labor (DOL) has issued guidance for plan fiduciaries that outlines their responsibility to ensure their plans are safe and provides best practices for cybersecurity. The DOL clarifies that ensuring cybersecurity is part of a fiduciary’s duty to protect plan participants, and many of the techniques that they recommend involve regular security checks and procedural clarity. The department states that plans should have a clearly outlined security procedure and access protocols to ensure that no one can access plans except participants and fiduciaries. They also recommend strong and up-to-date data encryption, regular security training and audits and strict vetting for service providers.
By adopting the DOL’s recommended practices, fiduciaries can provide an extra level of safety and security for plan participants. Sponsors should have processes in place to address breach notifications, system restoration and the evaluation of service providers with cybersecurity in mind. Just as risk is inherent in markets, it will always be present in the online management and administration of retirement plans. It’s therefore incumbent upon plan sponsors to adopt prudent processes to detect and deter breaches as well as mitigate damage resulting from cyberattacks.
What Is a Recession and What Does That Mean for the Markets?
As the seasons change and the days start to get chillier, market trends are calling for doom and gloom in the economy. Some argue that a recession is inevitable if not already here. What exactly does this mean and what should Americans do if in fact we are in a recession?
What is a recession? Is the U.S. economy in one now?
There is no exact definition for an economic recession, but many scholars broadly define it as two consecutive quarters of declining gross domestic product (GDP). In Q1 of this year, real GDP declined by 1.6% and the latest reports show that Q2 GDP was down by 0.9%.1 Under this definition, the U.S. economy could technically be considered in a recession. However, the National Bureau of Economic Research (NBER), the entity responsible for officially declaring recessions, has yet to do so. The NBER typically acknowledges periods of recessions after the fact because the previously mentioned definition does not consider other impacting variables like unemployment rates, inflation, and global events.
Recession or not, the truth is that markets have not been performing at their best and many are worried about what this means for their retirement as well as their overall financial wellbeing.
How did we get here?
There are several factors that have contributed to poor market performance over the last two quarters. After years of lockdowns and restrictions, many were hopeful for a post-pandemic economic boom in 2022. However, supply chain disruptions stemming from the Covid-19 lockdowns along with sanctions against Russian oil and gas have magnified the issues facing the U.S. economy. Coupled with other inflationary pressures, investors are concerned the Federal Reserve may not achieve a “soft landing” for the economy as it raises interest rates to combat high inflation.
Should I be worried? How have the markets been affected?
The market’s year-to-date performance has been deep in the red causing stress and anxiety for investors. However, this is not the first time we have seen such patterns. Markets have historically performed their worst in the months leading up to a recession. Many companies have been seeing their stock price drop with a bear market (20% decline off peak) being officially called in the S&P 500 earlier this June.2 This is no cause for worry as contractionary periods in the economy are common and a natural part of the business cycle. In fact, research shows us that markets tend to recover well in the following 6, 12, and 24 months after a recession.3
What is the next step? What should I do with my investments?
Two quarters of negative GDP and the threat of a recession is plenty to instill fear and deter investors from interacting with the market. However, 9 out of the past 10 recessions show positive market returns just one year later, averaging at 16%. The median growth of a $100,000 investment 10 years from the start of a recession is $222,581 and returns were positive in all cases.
Investing in the current market environment can be mentally challenging, but history shows us that with a long-term focus and if you can handle riding out the short-term volatility, that allows the best opportunity for setting yourself up for extraordinary long-term gains.
2 https://www.forbes.com/sites/qai/2022/08/24/the-average-bear-market-lasts-289-days-how-long-do-we-have-left/?sh=34829ee5d5d33 https://6743242.fs1.hubspotusercontent-na1.net/hubfs/6743242/Markets%20and%20Recessions%20-%20Trending%20Conversations%20presentation.pdf
DOL Brokerage Window Guidance and Cryptocurrency Accounts
Recently, the U.S. Labor Department issued new 2022 guidance regarding 401(k) retirement plans that offer, or are considering offering, investments in cryptocurrency and/or self-directed brokerage accounts in their plan menu.
Most plan sponsors have not worried about it, primarily due to lack of guidance to date regarding the issue of brokerage windows, which have previously not been subject of scrutiny by the DOL. This lack of scrutiny generally caused plan sponsors to set up brokerage windows for participants and then avoid any liability for poor investments made by participants. Some plan sponsors’ logic was that, once set up, the investments were the sole responsibility of the participants.
Based on the new guidance, employers could have fiduciary responsibility for participant cryptocurrency trades made through their self-directed accounts. Concurrently, the DOL announced that it will begin an “investigative program” that would require plan sponsors to “square their actions with their duties of prudence and loyalty” if they permit participants to invest in cryptocurrency or invest within their self-directed accounts.
The DOL’s stated interest is to now ask plan sponsors to explain why crypto was part of a participant’s self-directed account. This could easily open the door to a new level of scrutiny for all self-directed investments, which could portend potential plan sponsor liability from both federal regulators and plaintiffs’ attorneys.
You may recall, approximately ten years ago the DOL issued guidance to regulate brokerage windows, but the guidance was taken back after criticism, primarily by the investment industry. Since then, we anticipated the DOL’s stated intent to provide more robust fiduciary duties to monitor participants’ self-directed investments until now. The somewhat nebulous previous guidance made a point to remind plan sponsors that they should not interfere with participant investments as it could lead to fiduciary liability. Many plan sponsors who did offer self-directed accounts to take a hands-off approach to investments inside those account. This assumption appears to run contrary to the intent of DOL’s prudent fiduciary investment responsibilities.
Based on this new guidance, plan sponsors offering, or considering to offer, a brokerage account and/or cryptocurrency as an investment option for participants, should discuss and consider possible restrictions with their ERISA counselor and their investment partners.
Securities offered through Kestra Investment Services, LLC (Kestra IS), member FINRA/SIPC. Investment advisory services offered through Kestra Advisory Services, LLC (Kestra AS) an affiliate of Kestra IS. Kestra IS and Kestra AS are not affiliated with Higginbotham.
The “Retirement Times” is published monthly by Retirement Plan Advisory Group’s marketing team. This material is intended for informational purposes only and should not be construed as legal advice and is not intended to replace the advice of a qualified attorney, tax adviser, investment professional or insurance agent. (c) 2018. Retirement Plan Advisory Group.