Dive Brief:

• While many corporations have cybersecurity in place for their financial operations, they might not have considered the cyber safety of their employee benefits department – the “soft underbelly” of corporate hacking targets, reports Employee Benefit News.
• While the big 401(k) record-keepers tend to have “sophisticated” security systems in place, smaller firms may not be up to par.
• As tends to be the trend with workplace cybersecurity issues, employees can be a weak link and accidentally partake in practices that weaken security measures, such as transferring data to personal laptops in order to do work at home, thus circumventing company firewalls.

Dive Insight:

Phishing scams that obtain employee data and impersonate that individual to draw out 401(k) funds into a local bank is a common hacker strategy, EBN reported.

“We’ve seen hackers try this three or four times this year,” Robert Hudock, member of Epstein Becker Green law firm, told EBN. In all but one case, the funds were recovered.

One big question employers may have: Who is responsible when hacks occur, particularly in 401(k) accounts? Usually, a service agreement between a 401(k) keeper and an employer outlines “certain conditions” that an employer must meet before the keeper is responsible for losses – often issues such as firewall maintenance and patching. Therefore, employers should be careful to ensure that their benefit IT infrastructure is updated and strong.