After a surge in the number of cyber-attacks on businesses, most have changed the way they utilize cybersecurity protections. Has your 401(k) plan done the same? To ensure your plan, assets and participants remain safe from cyber criminals and fraudsters seeking to exploit security vulnerabilities in your system, complete annual risk assessments, review internal and customer controls, and invest in an insurance plan before a breach occurs. As a plan sponsor, doing so is your fiduciary duty. Failure to do so can result in costly court battles that you’re unlikely to win.
Summit CPA Group has merged with Anders CPAs + Advisors! Visit our website to learn more about our 401(k) process and pricing: https://anderscpa.com/401k-audits/
“[Cybersecurity protection] is not something in passing that [the Department of Labor is] involved in, not something that once a breach occurs, now they're gonna get involved. They're trying to be more preventative. We're trying to get the information out to all of our clients, as well as anyone listening here: this is something you need to pay attention to.”
Topics discussed in this episode include:
Episode resources
Narrator: Welcome to the 401k Audit CPA Success Show where we are 100% focused on helping companies across the United States prepare for their 401k audit. If you have 100 eligible participants in your 401K plan, then this podcast is for you.
Kim Moore: Welcome everyone to the 401K Plan audit CPA Success Show, and this month's podcast.
I'm Kim Moore, audit director here at Anders CPAs and advisors working on the 401K plan audit team. I'm joined with Karen Hill, audit Manager here at Anders. And this month we are gonna talk about cybersecurity and 401K plans. We've talked about this before, but it's an area that the Department of Labor is very concerned about.
And I also wanted to throw in some new things that you've probably heard about on the news, artificial intelligence, and some things that are going on in that space. So let's first talk about: I am a plan sponsor. Let's assume if you're watching this podcast, probably a plan sponsor or plan trustee, or maybe someone with administrative responsibility for the plan.
So, Karen, I outsource all of my work to my service provider like a Fidelity or a Vanguard or ADP or a insurance company. So why do I care about this? Isn't that their problem.
Karen Hill: No, no, it's not. It's, it's your problem. A lot of the controls are at the service providers, but ultimately you have the fiduciary responsibility over the plan.
That means that you have the responsibility for the controls. You can't just say, well, they have the controls. You have to actually look at the controls that they have and make sure. That they're adequate. There's usually on, in their SOC reports, there's gonna be complimentary user entity controls, which you need to make sure that you're following for them.
And you know, really the reason for this is these plans. There's a lot of money in these plans, even the smaller plans are gonna have a significant amount of money for somebody who might want to try to commit fraud and get some money out of your plan.
Kim Moore: Yeah. This is real.
Karen Hill: Yeah. It's really a big issue right now,
Kim Moore: It's, we always talk about that the the fraudster they, you know, they can try 500 times.
To commit a fraud and not be successful, but they're, they will not be caught because all of this is done online usually. And they only have to be successful once, and they can get a whole lot of money.
Karen Hill: Mm-hmm.
Kim Moore: So, you know, it's, you, you have to prevent it every single time, but they only have to be successful once it's, it's kind of just like, Terrorism or anything else.
So it's it, it's a big deal. But it's also a big risk if anything happens. And a lot of the plan administrators, plan trustees and that the folks that work with the plan from the company don't understand that they are legally named fiduciaries to the plan. And to the participants, they are responsible for making sure that the money in that 401K plan is secure.
It's managed well, that whatever the participant instructions are that they're followed, whether that's something they're doing and taking care, or you may hire two, three, a hundred different service providers to help you with that. It doesn't matter. You are still legally responsible. And if there was a breach and there was a lot of money lost, you could be personally liable for, for whatever that money is.
So just think of you're going along your day to day, think everything's fine. Participant calls you up and says, Hey, where's my money? And they had. $500,000 in their account. I mean, I don't think many of us would wanna try to fork over $500,000 to make that person whole. You know, that's, we don't have savings to account for that.
So we're gonna talk a little bit more about that in a little bit later here. But those are, Big reasons why. We need to, to need to care about this. And I think most of us have heard in the news, you know, cybersecurity doesn't impact just 401k plans. It, it, it can happen on almost anything, but it certainly, anytime there's money sitting somewhere that's a big target for a potential fraudster.
Another thing I wanted to bring up that we didn't talk about last time, we we brought this issue up is artificial intelligence. That's been getting a lot of traction in the news lately. Artificial intelligence is where the, you have a, a computer or a program and it's programmed to do certain things and it's programed to learn from itself.
So it it, it's going to get smarter and smarter as time goes on. And you know, this has kind of been happening all along. It's not, it's getting a lot of attention now, but it's been going on for quite a while. But they have artificial intelligence abilities now that can mimic your voice.
So someone who could take this recording, try to copy my voice and do something with it, and it would sound, you wouldn't be able to tell if you knew me. It would sound just like, you know, I had physically called you or I was doing a video chat with you and saying things that I wouldn't normally say.
So they, they've done a lot of tests and they, they've shown the, you know, the news anchors and you would swear it was that person talking, even though they didn't record it. They had never said those words. But the artificial intelligence can do that now. So, you know, we want you to kind of think about this in regard to your participants.
So obviously, the way a fraudster is going to there, there's two ways that they can hurt your plan. One is they can impersonate, if you will, a participant and take a distribution. So I'm going to impersonate Karen. I'm gonna go to your service provider. I'm going to say, I'm Karen. I wanna take money out of my account because I'm Karen and I'm allowed to do that.
If the service provider doesn't catch it, they allow that distribution to go through. Maybe I change the address or I tell them to put into this bank account, which is obviously not Karen's. It's one that I've set up. And I would steal Karen's money. So that's, that's one way to do it. Another way is to hack in and to get ahold of information that then I can use either sell the information or I can use the information to commit a fraud.
Now we're not gonna talk so much about the second part of that. We're gonna, we're gonna focus primarily on the first part. And that's someone getting a hold of funds that belong to one of your participants.
And obviously, If they were to do that, commit the fraud your company, the, and the plan would be personally liable and liable as an entity to make that individual whole. Not onlyif the person, let's say they, you had $50,000 in your account, Karen and I stole it. It's not just the $50,000 you would have to replace.
It would be all of the money I spent trying to recover the money. Also any lost earnings because it, it might not be discovered for a year, two years down the road. Well, that $50,000 would've been invested. It might now be. 75,000. And so you would have to replace the full amount that would be calculated would be lost.
And you know, I, I'm sure a lot of people sitting here listening are like, "Yeah, well that could all happen, but probably would never happen. It's probably not a risk to me. That's never really happened. You know, they've just been watching the news," and actually, It has happened. There have been court cases, people have gone to court.
They have lost their entire savings that they had in their retirement plan through a scheme just like this. And they've, in the court case, have alleged that their company that, that this plan was, was sponsored by either did not have strong enough controls to prevent this from happening, or they didn't supervise the service provider enough to know that the service provider didn't have strong enough controls.
And those court cases have all been successful. They're all winning. And so those companies then, are forced to make those people whole, they have to fund whatever the judge at that point determines was lost, which of course you're, it's out of your control. The judge could say, Hey, it was a $50,000 account, but I think you need to fund 500,000 and you're stuck.
It's court case. So at that point you've gotta fund it. And it. A lot of times isn't one person. A lot of times it can be multiple participants get impacted. So it's not 50,000, it's 50,000 times 10. You know, you can be getting up into some, some large dollar amounts here that we're talking about.
So it is definitely an issue, definitely something you need to worry about. We know that you wanna do the right thing for your employees and you're helping your employees to save for their eventual hopeful retirement at some point by sponsoring a 401k plan. I'm sure you don't want all that to just be wasted because of a fraudster getting hold of it.
So, that all alone should make you pay attention to what we're gonna talk about next. But I also have been at two conferences within the last couple of weeks here, and speakers from the Department of Labor, pretty high up in that organization, have all stressed that this is a big concern of the Department of Labor.
For the very same reason, you know, they're charged with helping the citizens of this country save for retirement and protecting benefit plans that companies sponsor. So obviously for the same reasons they're concerned. But they also, to try to combat this, are focusing at the employer level on what can the employer do to help stop this from occurring.
One of the things that I heard is that if the DOL is coming into your company or your plan might be have nothing to do with cybersecurity. They're looking at late contributions or they're just doing a random audit, or maybe someone's complained about something, maybe fees or something, again, has nothing to do with cybersecurity.
They said it's always at the top of their list to say, what policies and procedures do you have in place? Regarding, you know, protection for your employees related to cybersecurity. And if the, you know, employer comes back and says, yeah, not a risk, we don't care. You're probably gonna get a fine, you know, you're probably gonna get additional visits from the Department of Labor.
So it's, it's high on their list. It's not something in passing that they're involved in, not something that once a breach occurs that they're gonna get involved. They're trying to be more preventative. So real, real big focus on them.
We're trying to get the information out to all of our clients as well as anyone listening here, this is something you need to pay attention to. And we're gonna talk next about some things that, that you can do. So Karen, I got, I got their attention and they know I use a provider. Again, we mentioned some of the, the, the big ones out there. But I don't know, you know, I use, let's say John Hancock or I use Fidelity.
I don't know what their policy and procedure, I mean, I don't, I don't, are they good? Are they bad? I don't know. So what, what can I do as a plan sponsor to check with those major providers on, you know, what controls they have in place?
Karen Hill: Well, if first you can ask them if they've had a breach they should tell you if they have a breach.
But you know, also, you, you can go ahead and ask if they had a, a breach, and if they did, how did. How did it impact their systems? Did it affect your plan? If they haven't had a breach, then you might wanna ask them what their policies and procedures are in that area. What would be, what would the, the steps that they would take if there was some sort of security breach, you know, how would they notify you?
Another reason for that is because, you know, with all, with all of the different types of fraud, fraudsters that are out there, it's possible that they could try to use something like that to, to gain some sort of access. Oh, we've had a breach here. Click this link and then you some, you know, there's something else going on.
So you would wanna ask them, how are you gonna notify me if there is a breach? Or you can email me, are you gonna send me a letter? Am I get a phone call? Probably not a phone call, but you know, how, what, what's gonna be the procedure as far as that is concerned. You wanna review the controls on how you would prevent a loss.
You know, there's different way, different points of access that you would wanna look at. You wanna look at, you know, your own internal controls. You wanna look at the controls of the record keeper. You wanna look at the controls of the payroll system. And you wanna look at things that are, you know, online if you have things, hard copies.
Because you know, those hard copies, if you don't have good constrict controls around those, those can get out and those can be used for cybersecurity attacks.
Kim Moore: Yeah, we-
Karen Hill: I mean, think about this-
Kim Moore: Oh, go ahead.
Karen Hill: I mean, well, I was just gonna say, think about how many times if, if you are ever on Facebook where somebody will, will pose some sort of a question that seems so, seems innocuous, but it's things like, oh, you know, things that they ask, "well what was the, you know, what street did you, did you live on when you were growing up?"
That often is a security question and answer. So they're trying, you know, that's-
Kim Moore: Mm-hmm.
Karen Hill: It's, that's a way to get the answer. So-
Kim Moore: Or they'll, they'll, they'll just look on your social media. You may talk about, you know, your best friend that you had back in high school, or where you went to high school, or where your parents, you know, grew up.
Those are all security questions too. So they, you know, these fraudsters, they're very, very smart. And especially with the artificial intelligence now too, those systems can go probe around. Find information about an individual and then, like I said, they can try 500 times and if it doesn't work, they're not out anything.
And especially if it's a system doing it. You know, turn it on, let it go. And if it finds something great. If it doesn't, I'll try somebody else. So the other thing I was gonna mention, you mentioned the, the paper copies of things, and that could be everything from a paper I9, which is gonna have someone's social security number, their name, their address, you know, all that kinda stuff.
It could be paper payroll reports, it could be forms that you use for someone to sign up for something. It could be payroll forms that you're, you're documenting someone's pay increase. I mean, there's all kinds of paper stuff and you know, you probably have a document retention plan and so that hits that limit and you're gonna get rid of the documents.
We all know you don't shred that stuff. You don't take care of it. You don't lock it up in between taking it out of your company to wherever it's gonna get shredded. That's a huge hole if you're not careful about. The, the custody of those paper records.
Karen Hill: Mm-hmm.
Kim Moore: That's a fraudster, you know, goldmine. If they could get ahold of, of one batch of that stuff, they, they could steal millions.
And that exposes not only your 401k plan, but it exposes the finances of your employees as individuals. It could expose your company. It could expose senior management.
Karen Hill: Right.
Kim Moore: I mean, how would you feel if the, you know, the owner or the CEO or president or whatever your company had a breach because you. You didn't watch over some stuff, you were shredding.
I mean, you'd probably lose your job, but probably you'd also feel, feel horrible about it. So those are all, you know, those are all things that you've gotta be careful about. And And really look at and o one of the things I think, Karen, that, that, that you're kind of alluding to, and this is something the Department of Labor was very big on, is a risk assessment of all of these controls related to the data and the protection of the assets as well, in your 401k plan.
So to do a risk assessment, you, it doesn't take a lot of time. It doesn't, you don't gotta go hire somebody to do it. Take the people that work with the plan, the people in your payroll, HR area, maybe some finance folks, because a lot of this gets into financial controls and just schedule some time, a couple of hours is probably sufficient.
And sit down and say, if I wanted to either steal information or I wanted to steal assets from the plan, I wanted to impersonate a participant, how would I do it? Just think like you're a fraudster. Now, you know, we're not all experts and you know, you're probably not gonna think of everything. But if you go through that exercise and you document it, and then you do something about any holes that you find, you're a long way towards being able to satisfy when the DOL comes in and asks, "Hey, you know, what have you done?"
You can say, well, here, I did this. I looked at this, we changed these things. Is it gonna be perfect? Probably not. They're gonna catch everything? Probably not. But at least you've made a good faith effort. That will go a long way to protecting the assets, protecting your participants.
It'll also protect you in the event something goes wrong and there's a lawsuit. You're gonna come out much better if you can say, I knew this was an area of risk. I did things. Now, maybe it wasn't foolproof, but at least I did take action and I tried. And that that will really help you. So there's, you know, if you just Google risk assessment and I think even if you do Google risk assessment for 401k plans, you're gonna find things out there that you can use if this is all brand new to you.
There's also, if you want to kind of dive into this a little further, the DOL has a booklet now on cybersecurity and we're gonna talk a little bit more about some of the things to consider here, but it will actually lay out processes to use in each of these areas. So that risk assessment is gonna go into it a little bit deeper dive, what they're expecting things to consider so you don't have to hire somebody or be an expert here.
You can go get some resources from the Department of Labor. Like I said, big hot button issue. So always go check out the Department of Labor website about cybersecurity and you'll find a lot of, I think, great resources there. Karen, you wanna talk about the SOC reports for our service providers? We haven't talked about that in, in a lot of detail.
Karen Hill: Yes. Well, it, most service providers will have a SOC report, which simply is they had an auditor come in and evaluate their system of controls or the controls around their, the around their operating systems. And they will do so many tests, and the tests depend on what the control is and what type it is.
And then if they're, if they have any exceptions to those controls, where they found that there was some sort of I don't wanna use the word breach, but if, if the control wasn't working properly. One of the ones that we, we more common ones that we see is that they were supposed to have a review and the review wasn't performed timely.
Sometimes they have terminated employees that they don't remove their access timely, things like that. You wanna look at those exceptions, and then you want to look at, there's always a management response to the exceptions. So maybe you say, oh, well, in a list of 40 terminated users. You know, two, they, their access wasn't removed timely.
So what was the management response? You know, us, hopefully the management response has something to the effect of, well, we looked at these users and made sure that they didn't, after the termin date, termination date, they didn't get into the system and use their passwords, use their access, and do anything.
So you, you wanna see what the management response was, and that will help let you know how seriously the provider takes any, takes their controls, and to see if they are really trying to make sure that they don't have any of. Any of, any of these breaches with the controls.
Kim Moore: Right. Serious issues that the holes really.
Karen Hill: Yes.
Kim Moore: And you know, a best practice would be, those are issued usually annually can be different, but usually we see them annually. A best practice would be have a. You know, know when they're coming out, so know when they're available. Absolutely, you can get copies of them. You don't have to pay for them or you know, do a separate request.
They're usually right out there on the website. If you have an auditor, you can ask the auditor, cause the auditor is gonna be all over getting a copy of those and looking at them so you can, you know, have a discussion with the auditor. But if you don't have, you don't need an audit, you can just ask whoever your rep is, they'll get you a copy.
A lot of times your investment advisors are pretty savvy on control. So they, they could help you if you don't really understand what's included in there. Or go talk to your finance department. A lot of times they're a little bit more cognizant on controls and, and understanding what the verbiage means.
If you have an internal audit department, they will absolutely be able to help you. They're very familiar with these kinds of reports, so. Those are all things, but like I said, best practice is to get those annually, take a look at 'em, see were there any issues noted. And as Karen said, what did they do about it?
What's the management response? And you'll probably see most of it's fine. And then maybe they had a couple of issues and, and they took care of 'em. And so there's nothing there to worry about. But again, I think just showing that we had this meeting, we took a look at it. Nothing of concern.
We've documented that. That's gonna go a long way to showing that you have a good program to, to try to protect your participants. So, you know, those are, those are always good things for you to be concerned about. Another area I wanted to bring up I mentioned in the risk assessment that you wanna think about, if I was a fraudster, how would I commit a fraud?
One way is to impersonate one of my participants. So you wanna think about... that's probably not gonna be someone impersonating one of your employees to you, because in most cases, the company that sponsors the plan doesn't hold the assets. So they can impersonate all day long, but I can't issue you a check outta the plan cuz I don't, I don't control those assets.
That's a custodial group that is doing that. So they're not gonna probably do it with you. They're gonna do it with those record keepers and they're gonna try to find a way to either log on, guessing the password, and then using those, that information they gamed off of social media to guess your security questions.
Or they might do it via a a voice response type thing. I call in and I impersonate the participant. I use a one 800 number voice response where you would call in as a participant and say, I'm Karen Hill, I'm participant number, blah, blah, blah. I wanna change my investment from investment A to investment B.
You leave the recording, the service provider picks that up, they'll go do the transaction, and then they'll probably send you a confirmation via email or a a, a snail mail confirmation. That's what it's for. But if you are successful in impersonating that participant then you could potentially request a distribution or move some funds around to make it easier to request a distribution.
Those are all things that a fraudster could do to impersonate one of your participants and get access to the money. There's something called know your customer controls. Financial entities are required to have policies in this area. It started with banks, so that banks were required via federal legislation to know their customer to make sure that they were taking money not from terrorists and things like that.
But it has spread and so most financial entities now will have know your customer policies and procedures. That's why if you call your bank, your credit union and your insurance company, any of those entities that has to do with your financial information. They're not just gonna say, "oh, you're Karen Hill.
Okay, what do you want?" They're gonna ask you things like your social security number, a pin number, those security questions. Other, other, it depends. They all have different things, but they're gonna have some protocol set up. And if you can't get them that information, that you're verifying who you are.
It doesn't matter who you am, you could really be the person, but they're not gonna, they're not gonna take any action from, from that person that's on the phone or is logging on. So if you, you know, if you've tried to log on, you've got your password and you can't give the security questions, it'll lock you up.
And, and, and your ID will be, will be invalid now. And then you've gotta go through a process to get it reset. That's why those are there, is to protect against this kind of fraudster activity. So those are very strong preventative controls and, and you really want the preventative controls. You don't wanna have detective that, well now I found out if fraudster got in and stole a bunch of money, so I was notified, but now it's too late because the money's always gone in those situations.
So, you want the preventative type controls. If you don't know what those are, I think it's a very good idea to ask your provider. They probably have a booklet they can give you. I just saw on ADP, if you're using ADP as your record keeper, they have a, a little booklet now that talks about all the cybersecurity risks, what they're doing, how they're, which I'm not sure is, is a great idea cuz they're putting out all the procedures.
But, but it is available. And so if you go on your plan's website, you can see that. That's, it's prominently displayed out there. But you know, if you don't know, call and ask. Ask your rep, say, Hey, you know. Identify yourself as your plan administrator and you're concerned in this area. So ask what are, what are their know your customer controls?
What are their policies and procedures? And they should be able to help you understand that. If, if you don't have that, just think about if you were to log in or call in as a participant, what do you have to go through? You're gonna see those controls because they're, they're gonna be right there as you're trying to log in.
You know, if they can't answer those questions or they're not willing to talk to you about it at all, it's probably time to consider looking for somebody else because that means that they know that their procedures are probably not very good. And is that a place you wanna have your own money?
Cuz you probably have money in the 401K plan as well. And you're just as likely to be impacted by this as one of your participants. So definitely an area I would check out. And, you know, if, if you don't get a good response you know, I, I, I would I would question that with your service provider and whether you, you really wanna stay there. You know, we've, we've talked in on past blog posts and podcasts about IT general controls, things like strong IDs, strong passwords, backup procedures.
We're not, I don't wanna go into those and spend a whole bunch of time on those cuz we've kind of covered that before. If, if you have questions about that, by all means, you can take a look at some of our previous podcasts. But, definitely something that, that you wanna check out and be concerned over.
Those are areas of weakness too, even inside your company, that that can impact more than 401k plan. So you wanna be careful about that. Karen, I know we talked about preventative controls are the best, but mm-hmm. Things happen. You can have the best controls in the world and there's still gonna be opportunities.
So if I am a plan sponsor and I wanna kind of put some detective controls, I wanna look for things, what kinds of things should I consider?
Karen Hill: I'm try, I'm sorry, I'm trying to get to the right spot here.
Kim Moore: It's down under like distributions.
Karen Hill: Yeah, that's ok. That's why I was gonna make sure. Well the one thing that you could do, and I can tell you from exper my 20 plus years of auditing experience. It doesn't happen very often, but one of the things you could do is to review the distributions. You know, review them monthly, review 'em quarterly and look and see if there's anything in there that looks odd.
You know, you know, here it's so and so took a termination distribution, but they're still employed. What happened there? Why, why did that happen? That might be, you know, a red flag that somebody was able to get into the plan and, and, and take some money out of your plan. You, you know, just if that happens, you might wanna talk to the employee and make sure, if you're not sure what happened with that and you know. Even though you, you might not, might be hesitant to alarm the employee, it is their money, so.
You know, if something happened to their money, they're gonna need to know about it because they're gonna find out one way or the other.
Kim Moore: Right.
Karen Hill: And it's, they're gonna be angry either way. And it would probably, it's gonna be less upsetting to them that to know that you found it and you're gonna try to help them fix the problem than they find it down the road when they're, you know, they go to take out the money and say, "What happened? What happened to all the money that was in my account?" And then they ha- come to you.
Kim Moore: Right. Yeah. And you you bring up a good point, Karen. I mean, those are, there's preventative and detective controls potentially there, because a best practice, again, like you said, we don't see it very often, would be to review the distribution before it's processed.
So in that case, yes, I'm looking at this person that still works for me. I just saw him down the hall and they just took a termina, you know, they're requesting a termination distribution. Number one, that's a problem. That's a compliance issue. But also it could potentially be a fraud. Or, you know, somebody is applying for a hardship distribution.
They need to pay medical bills and, you know, they haven't been sick. They've been working overtime, you know, for a lot. So that might be, "Hmm, I am not sure about that." You know, those kinds of things. " I'm applying for a hardship because I'm, I'm buying a new home," and you know, that. You know, you just talk to 'em and they're not, that's not on their radar.
So that's something you could catch ahead. You could stop it before it happens. But if that's, you know, just not feasible or, you know, you've chosen not to do that, most plans have reports out there that you can look after the fact. Again, not the best, but at least as Karen mentioned, you can catch it kind of before it gets blown up.
And you, you might be able to catch it, that it has happened once before it happens, you know, multiple times, and now you've got, you know, a big, huge problem. So the other, the other thing ultimately, so you've tried to do your risk assessment, you've tried to look at controls, you've put preventative controls in place, you thought they were great, you're looking after the fact, and lo and behold, either you see that there has been a distribution that was not intended.
You're involved in a lawsuit, so now you found out there's a breach. Or potentially the record keeper or the custodian comes to you and says, we were notified that we've had a breach. Not, and at that point they probably don't know it impacted you or not, but that you've notified. So obviously, you know, at that point, you're gonna probably panic and say, oh my gosh, now what do I do?
One of the things that can help you out, and the DOL stressed this a lot, is insurance coverage. So. You know, obviously you, you can't go get the coverage once the breach has happened. You're gonna have to have the coverage ahead of time. That's how insurance works. So if you take away nothing else from this call, it's probably a good idea to call your insurance broker and, and talk about general cybersecurity coverage.
Because this could impact your company, could impact your employees, your data on your employees as well. It's not just a 401K plan issue. Obviously this could be a, a more general issue and depending on your company, if you do a lot on the internet or a lot of transactions of the internet, it could be even a bigger issue for you as a company.
So there are all kinds of policies out there. Now, again, not gonna go into a lot of depth. On the different policies that are out there, but all different kinds of cybersecurity re reimbursement, coverage if you're, you know, a lawsuit, those kinds of things. Depends on what, you know, how much you wanna pay for.
It depends on how much risk you think there is here. Like I said, that that's between you and your insurance broker, but strongly would encourage you to check that out. I don't think those policies are all that expensive at a base level. But again, depends on which option you pick and you know, are you getting a bigger policy smaller, all of that?
So, so it kind of depends. The other thing I'd say is that 401K plans, we've talked about this before, they're required to have an ERISA fidelity bond. That would not help you here. So we've talked about that in other podcasts, talked about in blog posts. You are required to have that, that's covering the funds as it's go, kind of going through the process.
So you've taken a hundred dollars outta someone's paycheck and it's going through a process to get over to their account in Fidelity. In between there, something happens, say that the payroll person steals the a hundred dollars. Those bonds will help with that. It is not going to help with this type of cybersecurity fraudster type actions.
So you know, if you're hearing this and saying, "Hey, I already got a bond. I got a policy that covers the plan, I'm, I'm good." Probably not. So those are different types of policies. They're covering different risks, covering different people. So I'd just be careful about that. And I would, you know, check that out and actually talk to your insurance broker cuz they're, they're gonna be the experts here to be able to help you make sure you get the right kind of coverage for the risk that you want to try to to mitigate.
So my, my last thoughts on this topic: Do something. Don't, don't just listen to this and say, "Yeah, that's gonna happen to somebody else. I, I don't, you know, I think the risk is low. I don't need to worry about it." As we said, big, huge risk if it happens. It could be a disaster for your company, for yourself and definitely for your employees.
But if nothing else, you wanna have a response when the Department of Labor calls and asks, and it, it would not surprise me if they start randomly picking companies and asking them to respond to this risk and what have you done as a plan sponsor to protect your participants from this risk? Especially with all this artificial intelligence stuff coming out?
I, it's, I think, going to only get worse. I think it's gonna be an, an even bigger area of risk. So definitely do something. You know, look at the insurance coverage, do the risk assessment, review the SOC report, do some documentation, talk about it. But, but document something so that you can show that this is an area you understand, you're concerned, you're trying to do your best.
That would be my, my best suggestion. I don't know. Karen, what are you, your final thoughts here?
Karen Hill: Well, one thing I would want to emphasize is that if you do have cybersecurity insurance for the company, make sure it covers the plan as well.
Kim Moore: Yeah, good point.
Karen Hill: Because it might not. Might not. So just want, you wanna make sure that any kind of insurance coverage you have for those types of things will cover the plan.
Kim Moore: Yeah. Very good. Very good point. Last thing I'm gonna do before we wrap up for today as we do every month when we do these podcasts we'd love to hear from our listeners. So if you have any questions, you have suggestions for future podcast areas that you'd like us to cover, just questions on what we talked about, you need access to the, the DOL booklets that I mentioned. Don't hesitate to reach out.
I'll give you my personal email. It's the letter K, then m o o r e at anders, with an s, cpa.com. Again, it's K M O O R E at A N D E R S CPA dot com. And I'd be happy to answer any questions you have about this topic or other suggested topics or if you happen to need a 401k plan, audit, or wanna talk about an issue that's come up in your 401k plan audit, be happy to help with that as well.
With that I think we're gonna end today's podcast and let you get working on all those things that we talked about. If you have any questions, don't hesitate to reach out. Otherwise, we will talk to you again next month in the 401k Audit Success Show Podcast. Thanks for listening.
Narrator:
Enjoy this podcast? Visit our website at anderscpa.com/401k to get more tips and strategies for achieving 401k audit success. We're here to be a resource w