October 15th has come and gone. Your company’s 401(k) financial statements and Form 5500 have been filed on time, but what is next?

As a Plan Sponsor and Fiduciary, there is an obligation to secure and keep personal information of plan participants secure. The U.S. retirement model, which the Investment Company Institute values at over $5 trillion in 401(k) plan assets alone, has become an increased target of foreign hackers. Since 2013, there have been over 3.8 million records stolen daily. One in every three Americans are affected by a hacker attack each year. Furthermore, as reported by Cybint Cyber Solutions, only 38 percent of global organizations claim they are prepared to handle a sophisticated cyber-attack.

A potential shortfall for organizations is improperly handling online access to third-party administrator (“TPA”) websites. The Plan Sponsor is responsible for establishing administrators to monitor the 401(k) plan throughout the year; however, external auditors, such as myself, can also be granted access into a Company’s TPA website. This is a common practice and provides numerous benefits, including the ability to obtain information without having to request from the Plan Sponsor and even the ability to submit sample selections directly to TPA online portals. While this access streamlines the audit process, there are certain considerations to be made at the end of your audit engagement.

  1. Verify that external auditors are only given industry professional access versus employer or employer representative access. There are various levels of access that can restrict the auditor or other working professionals from being able to do things such as editing the Form 5500.
  2. Restrict the time-period for access to the TPA website. After the audit is completed and the Form 5500 is filed, remember to revoke external auditor access. This access can be reinstated the following year to the proper individuals.
  3. Require employees, administrators at the Plan Sponsor and auditors to change passwords. After considering 90 percent of employee passwords can be cracked within six hours and nearly two-thirds of individuals use the same password for more than one account, it is evident that requiring periodic password updates could have huge savings.

“Proper protection of sensitive data begins with a cybersecurity plan. And an effective cybersecurity plan, or program, must include an evaluation of the security practices of third party sites that store, process, or transmit sensitive data for a company” says Mark Burnette, Shareholder-in-Charge of LBMC’s Information Security Practice. “If a company’s data is compromised, even if it’s on a third-party site, customers and employees will expect the company to be accountable.  Following the simple tips above can really help an organization’s security posture.”

Sometimes the simplest tasks are the ones that can be overlooked. While these steps will require minimal effort to implement, increased peace of mind is worthwhile.

For more information about obtaining an employee benefit plan audit, or questions about your Plan, contact Kurt Zollner, Audit Manager at LBMC at 615-309-2477 or kzollner@lbmc.com. For any questions about further protecting information from a cyber attack, contact Mark Burnette, Shareholder-in-Charge, LBMC Information Security at 615-309-2447 or mburnette@lbmc.com