401(k) plan management involves handling large volumes of sensitive participant data, including participants’ personally identifiable information (PII). Recordkeepers managing participant data must ensure its security and confidentiality.

However, the recent data leak of 1,883 Walmart 401(k) participants was due to human error by the plan recordkeeper. This incident has brought to light the vulnerabilities that exist within the current regulatory framework. It highlights the need for recordkeepers to strengthen their data security measures and for regulators to bridge the gaps in existing regulations.

In this whitepaper, we will understand the regulatory gaps that expose recordkeepers and plan sponsors to significant risks and how Congruent Solutions can help mitigate these risks.

Data security in 401(k) plans

Data breaches have become common with the shift to digitalization of participant records. In February 2024, over 451,000 J.P. Morgan Chase 401(k) plan participants had their personal information exposed due to a software issue. A data breach may lead to identity theft, result in financial fraud, and even jeopardize retirement savings.

In addition to protecting sensitive personal information, recordkeepers must safeguard plan assets from cyber threats. A data breach in a recordkeeper’s system can result in significant financial losses for the plan sponsor and participants. It can also damage the reputation of recordkeepers and erode trust among plan participants.

The role of recordkeepers in data security

Recordkeepers manage the data of thousands of 401(k) participants, amounting to $7.8 trillion in assets, making them an attractive target for cybercriminals. Despite their critical role, many recordkeepers attempt to limit their liability through contractual clauses that exclude fiduciary obligations. It creates a significant gap in regulatory oversight, as the Department of Labor (DOL) primarily targets plan sponsors, leaving recordkeepers with less direct accountability.

Regulatory gaps and challenges in 401(k) plan management

Several regulatory gaps exist within the current 401(k) plan management framework, leaving room for risks to thrive. Some of these gaps include:

The limited scope of DOL’s cybersecurity guidance

In 2021, the DOL issued its first cybersecurity guidance for retirement plans, focusing on plan sponsors’ responsibilities. While this was a step in the right direction, it did not address the accountability of third-party service providers like recordkeepers. As a result, plan sponsors remain the primary entities responsible for preventing data breaches. The guidelines do not define the accountability for recordkeepers and third-party 401(k) plan administration service providers.

Fiduciary liability and legal precedents

The legal landscape surrounding fiduciary liability for data breaches is still evolving. Under the Employee Retirement Income Security Act of 1974 (ERISA), fiduciary liability can extend to other parties if it is proven that they exercised control over plan assets during a breach. However, the courts have yet to definitively determine whether data constitutes a “plan asset” in the same way as monetary funds. Recent lawsuits against recordkeepers, such as Bartnett v. Abbott Laboratories, have questioned whether cybersecurity responsibilities fall under a fiduciary duty of prudence under ERISA, particularly in plan administration, but outcomes remain uncertain.

A patchwork approach to state and federal privacy laws

While ERISA provides a federal framework, state data privacy laws also regulate how data breaches are handled. State privacy laws, such as California’s California Consumer Privacy Act (CCPA/CPRA) and Virginia Consumer Data Protection Act (VCDPA), require businesses to notify consumers in the event of data breaches. These requirements vary across states and may result in penalties if neglected.

The lack of a unified federal approach leads to a patchwork of regulations. Recordkeepers operating across multiple states must navigate this patchwork, which complicates compliance and accountability. Although certain federal efforts like the proposed Data Security and Breach Notification Act seek to unify these regulations, they have yet to be passed.

Why must recordkeepers proactively manage 401(k) data security?

Addressing these regulatory gaps is crucial to protect plan participants’ sensitive information as the frequency and cost of cyber incidents increase. Despite the regulatory oversight, recordkeepers must take proactive measures to secure participant data and mitigate risks.

The key reasons why recordkeepers must proactively manage 401(k) participant data security are:

Financial impact

Data breaches may result in financial losses for recordkeepers, plan sponsors, and participants. For instance, the MOVEit breach impacted nearly 4 million plan participants across 600 organizations. The FBI reported that cybercrime cost victims $12.5 billion in 2023, underscoring the financial stakes of cyber incidents.

Recordkeepers face the direct costs of a breach, such as fines and compensation, and indirect costs, such as lost business and long-term damage to client relationships. Proactively managing cybersecurity reduces the likelihood of such incidents, protecting the recordkeeper’s financial stability and plan participants’ assets.

Legal implications

Data breaches can lead to legal ramifications for recordkeepers, including class-action lawsuits. In the case of a data breach, recordkeepers may face liability claims from plan sponsors and participants. These could result in substantial legal costs, including legal fees, regulatory penalties, and the time spent defending against claims.

Proactive data security measures can help recordkeepers reduce legal risks. Demonstrating that they have taken appropriate steps to protect participant data strengthens plan sponsor trust in the service provider.

Reputational damage

Data breaches can damage the reputation of recordkeepers, eroding trust among plan participants and impacting business relationships with plan sponsors. It can lead to significant long-term financial consequences for recordkeepers. Plan sponsors may switch to other service providers, and new clients may be reluctant to engage with a recordkeeper that has suffered a breach.

Proactively managing data security helps protect a recordkeeper’s reputation. Committing to cybersecurity is a competitive advantage in the market, as plan sponsors prioritize data security when selecting recordkeepers.

Compliance concerns

For financial institutions, recordkeepers must comply with ERISA and the Gramm-Leach-Bliley Act (GLBA) regulations. These regulations have strict requirements for protecting sensitive personal information. They must conduct security audits, implement data encryption, and have security procedures in place to prevent unauthorized access to data.

Failure to comply with these regulations can result in penalties and reputational damage. Proactively managing data security helps recordkeepers stay up to date on compliance requirements. It also prevents legal and financial consequences.

How can recordkeepers bridge regulatory gaps?

401(k) recordkeepers need to improve in ensuring data security due to pressing fee margins and outdated technology. Here are a few strategies for data protection that recordkeepers can implement:

Technology adoption

Modernizing recordkeeping systems can help recordkeepers secure sensitive data. Switching from legacy recordkeeping systems to modern cloud-based solutions offers better security features, such as data encryption and multi-factor authentication.

Implementing AI and ML can also improve fraud detection, reducing the risk of cyber incidents. As technology evolves, recordkeepers must stay updated to protect sensitive participant data.

Employee training

Employees are the weakest link in a company’s data security, as human error accounts for 95% of cybersecurity breaches. Training employees to identify potential cyber threats like phishing scams can significantly reduce breach risks. Recordkeepers must establish strict password management and access control policies to prevent unauthorized data access.

Recordkeepers must ensure their employees know about data privacy and security protocols. Conducting regular training sessions and providing resources for ongoing education can help prevent human error and reduce the risk of a data breach.

Third-party partnerships

Recordkeepers may also consider partnering with reputable third-party vendors like Congruent Solutions. They offer robust and secure recordkeeping solutions. These partners can also provide additional layers of protection, such as continuous monitoring, threat detection services, and incident response services.

Partnering with reputable third parties can help recordkeepers close regulatory gaps and ensure compliance with industry regulations. It also allows recordkeepers to focus on their core competencies while relying on experts for data security.

401(k) data security best practices for recordkeepers

To effectively manage data security, recordkeepers should consider the following best practices:

  • Regular risk assessments: Identify and address potential vulnerabilities in data management systems.
  • Robust security protocols: Implement multi-factor authentication (MFA), encryption, and access controls to safeguard sensitive information.
  • Incident response plans: Develop clear protocols for responding to data breaches, including notification procedures for affected participants.
  • Training and awareness: Educate employees about cybersecurity risks and best practices to minimize human error.
  • Third-party risk management: Conduct thorough due diligence on third-party service providers and implement clear data protection agreements.

Securing Participant Data with Congruent Solutions

Congruent Solutions is a leading 401(k) retirement plan administration solutions provider. We offer secure and innovative recordkeeping solutions through our CORE platform to help recordkeepers manage data security effectively.

Our cloud-based, modern recordkeeping solutions are powered by robust security measures, including:

  • Multiple ISMS standards, including:
    • SOC 1 Type 2
    • SOC 2 Type 2
    • ISO 27001:2013 standards
  • IP whitelisting and rate limiting
  • SPA (Single Page Application)
  • Layered authorization
    • Role-based access
    • Access to specific sponsor data
    • Access to specific plan data
  • Data encryption
    • HTTPS/TLS 1.2 for securing data in motion
    • TDE for PII data encryption

With Congruent Solutions as your partner, you can trust that your participants’ data is secure, protecting your reputation and business relationships with plan sponsors. Contact us today to learn more about our recordkeeping solutions and how we can help you bridge regulatory gaps in data security.