New Lawsuit Acts as Cybersecurity Warning
A new lawsuit filed by a participant whose 401(k) plan assets were stolen acts as a warning to retirement plans to institute procedures to ensure assets are not vulnerable to theft.
The complaint filed by the participant alleges that an individual, acting as an imposter of the participant, called the 401(k) plan’s recordkeeper to ask for help withdrawing funds from the participant’s account. The complaint further alleges that the recordkeeper did not have sufficient procedures in place to address this type of theft, as it did not attempt to confirm the withdrawals through instant communication with the participant, such as through email or a phone call to the number on record. Instead, the recordkeeper only mailed confirmation of the withdrawal to the participant; by the time that mail was received, the funds had already disappeared from the 401(k) account. Further, the recordkeeper’s agent allegedly disclosed the participant’s address to the imposter and assisted the imposter in changing the participant’s account password.
While many plan sponsors and plan professionals are focusing on preventing breaches and theft via more advanced and expansive hacking techniques, this acts as a warning to both recordkeepers/third-party administrators and plan sponsors that theft can occur on an individual participant level. Customer service agents should be trained to look for red flags, and procedures should be put in place to counteract this method of theft.