Your retirement account is supposed to be a growing pot of money that you spend years building. You are actively encouraged not to monitor it too closely to prevent knee-jerk reactions to market swings.
But are 401(k)s safe following the Equifax data breach?
Indeed, since the breach you may have seen advice on how to protect your identity or your bank accounts, but your investment accounts like your 401(k) might seem particularly tasty to hackers given their size.
Yes, you do need to worry about their safety, but mostly in the way that you need to be alert about everything involving your money now that so much of your personal data is circulating around the dark web.
The reality is your nest egg is probably safe — emphasis on the probably.
Access to your 401(k) account is limited
If you’re an employee participating in your company’s 401(k) program, accessing that money is not exactly easy. In other words, all the hoops involved make it an unlikely target from an account takeover perspective.
“Someone would have to both fake your termination (validated via payroll status and employer acknowledgment) then hack your 401(k) account, request the distribution, then somehow hack your employer to ‘approve’ the distribution,” Kevin Busque, CEO of Guideline, a startup 401(k) plan provider, wrote in an email. “Ugh, that’s a lot.”
Hackers like easy stuff. This isn’t it.
Once you’re retired, your money is easier to access, but it still seems fairly safe so long as you take the proper steps to protect it.
How your money is protected
Unlike bank accounts that are backed by the FDIC or credit cards that carry zero liability policies, investment accounts like 401(k)s have no such legal protection. Instead, providers typically have cyber-fraud insurance that is then extended to you.
Most of the major providers — Fidelity, Charles Schwab and Vanguard, for instance — promise to cover you if your account is compromised. But without specific legal protection, how you become whole if your account is hacked is not entirely clear. The provider will likely cover you, but you may have to prove you didn’t play a role in the hack.
For example, Vanguard has a fairly detailed explanation of the responsibilities you need to have undertaken in order to be protected. They are fairly open-ended. You’re expected to “check your account frequently,” but Vanguard doesn’t specify how it defines frequently. A spokeswoman for the company said in an email that it reviews fraud on a case-by-case basis.
How to protect yourself
The providers all have similar guidance on what you should do to protect your account. Much of the advice echoes what the Securities and Exchange Commission said in a recent bulletin:
- Pick strong passwords that are different from the passwords you use on other sites. Change it regularly, too.
- Add security by using biometric log-ins and two-factor authentication on your mobile phone.
- Be mindful which computers you use to check your accounts. Don’t use public computers, use caution with Wi-Fi connections and make sure your browser is up to date.
- Check your account regularly and promptly report problems. Opt-in for account alerts that will notify you any time there is a transaction.
The security behind 401(k) accounts is fairly robust.
Paul Martini, CEO of iboss, a cybersecurity provider, likened account providers’ security to Fort Knox. Hackers would likely avoid Fort Knox, but they might stake out the wayward employee who checks his email on the free Wi-Fi at Starbucks, Martini says.
Imagine what might happen if hackers found their way into a major investment firm and tried to drain the accounts.
It’s a scary thought, but not realistic, Busque said.
“The flow of assets is measured every day. There are people and systems sitting there watching it, so it kinda can’t happen,” he says. “Loss of wealth is going to happen in the stock market, not a $1 trillion wire carried out by hackers.”