Keys to Guarding Retirement Plan Data Against Human Error

As the digital age evolves, so too do the risks that threaten the security of employer-sponsored retirement plans and their data. Human error within organizations poses a significant risk, as hackers are adept at taking advantage of these vulnerabilities. Understanding and mitigating these risks is therefore crucial for plan sponsors, recordkeepers and participants alike.

Frank Bitzer, national director of ERISA consulting at Marsh McLennan Agency, says that in the current economic climate, with discussions of recession in and out of the news, many companies are starting to cut back on their security budgets.

“They’re trying to wash their nickels and dimes,” he says. “Unfortunately, sometimes they will cut back expenses in IT, in security, software services and monitoring services. That’s where you will see human errors.”

Errors by service providers are not uncommon, and the quality of these providers can vary significantly, according to Bitzer. While some employees excel in their roles, others fall short, potentially failing to deliver on their promises to meet recommended security standards. This inconsistency can lead to vulnerabilities, as individuals may misunderstand their tasks, neglect to ask critical questions or overlook warning signs.

Chris Bellomo, EY’s Americas retirement income leader, notes that every individual handling retirement plan data introduces a potential risk.

“Human error situations often arise when there are lapses in controls during manual processes, insufficient identity access management … a lack of awareness about data risks, and widespread, unmanageable data distribution across the enterprise,” he says.

Bellomo urges plan advisers to be proactive in helping their plan sponsor clients prevent human error-related security incidents. This requires the design and establishment of a robust data governance and controls program with clearly defined access controls across all processes and reports.

Plan fiduciaries should also consider investing more in automating tasks that use personal data and make sure all data is encrypted from start to finish for better security. Additionally, training and awareness about appropriate use of data continue to be critical.

Bad Actors

“We’ve seen cases of human error where money has been lost,” Bitzer says. “It’s been sent to the wrong account because somebody fat-fingered the account numbers or the transfer numbers in the system, but those can usually be resolved.”

Financial institutions can trace the error, contact the receiving party and work to correct it. Since these errors can happen to any institution, there is generally a spirit of cooperation when it comes to resolving them. Additionally, sometimes it is a member of the financial institution that made the initial mistake.

“Human error, in and of itself, usually isn’t going to cause somebody to steal your money,” Bitzer says. “That involves an intent by an acting person, and that’s your hacker on the other end. […] These hackers are very, very good. They know how to spot these vulnerabilities. Once they spot them, they will exploit them.”

He recounts a case from late 2023 in which a woman discovered that $800,000 had been drained from her individual retirement account. Arguing with her bank and trustee, she delayed contacting the FBI or IRS. By the time her service providers convinced her to involve the authorities, the money was already gone, and they have yet to be able to recover it.

Bitzer says part of the issue stemmed from human error, such as the woman’s lax maintenance of her online security and passwords. Additionally, the financial institution that held her IRA experienced a breach in its firewalls. Litigation is likely, if not already, underway. The critical mistake, however, was the delay in involving the FBI and recovering the funds.

“FBI first, finger-pointing second,” Bitzer says.

Increased Threat

Abhishek Madhok, EY Americas’ insurance cybersecurity leader, notes that “exposure of personal identifiable information data to bad actors presents a heightened risk to the near- and in-retirement participants, as elder fraud has increased significantly due to larger average account balances.”

Fraudsters are now leveraging artificial intelligence to conduct more sophisticated fraud attempts, using PII data that has been leaked or sold on the dark web, Madhok says. This technological advancement in cybercrime underscores the need for increased vigilance.

Jay Gepfert, a founding partner in advisory consultant Culpepper RFP, says more than 65% of data breaches stem from individuals unknowingly falling prey to hacking schemes. Once information is provided to hackers, they are able to gain greater access to the individual’s information or possibly that of the sponsor or service provider.

Since most hacking issues arise with recordkeepers and third-party administrators, as they hold sensitive personal information, a data breach into an individual account could create the opportunity for an unauthorized distribution, according to Gepfert.

Gepfert says many recordkeepers have guaranteed data security, but those promises are based on participants logging into their account on a frequent basis and changing their login information. If the frequency is not kept up, the guarantee is not valid. 

“Plan sponsors, like any organization, have to remain diligent to educate and train the employees and participants on the common methods that bad actors are trying to gain access to retirement accounts and other personal accounts,” Gepfert says. “A piece of the DOL cyber guidance centers around the ongoing education to participants to keep them abreast of the things they can do to protect themselves.”