25 Investigates: 4 steps to safeguard your retirement accounts from cyber hacks

BOSTON — Cyber hacks are on the rise, and the next one could be coming for your retirement. Government watchdogs tell 25 Investigates, retirement accounts, like 401ks, are at risk, and they want to overhaul how they’re protected.

“We’re talking about not only personal information on each of us that may hold a retirement plan but also actual money,” said Nick Marinos is GAO’s director of IT and cybersecurity issues.

Better protecting what could amount to your life savings and personal information is the goal of a new report from the Government Accountability Office.

“Many of the same things that we fear within our social media accounts, our bank accounts are the same risks that we see within the retirement plan industry,” Marinos said.

The GAO says retirement accounts, valued at $6.3 trillion as of 2018, and the large firms that manage them are big cyber targets.

The GAO report says since so much information is shared among multiple parties, the U.S. Department of Labor should create clear guidelines about who is most responsible for mitigating cyber threats and how that should happen.

“But there’s also a lack of clarity within this industry as to who is identified as a financial institution,” Marinos said. “That relates to another recommendation we made to ‘labor’, that the department should put out a better sense of clarity as to who has ultimate fiduciary responsibility for protecting our information.”

25 Investigates contacted the Department of Labor for information on the steps it has taken since the report was issued, but have yet to receive a response.

While that is being sorted out in Washington D.C., consumers, whether they’ve just started contributing or close to retiring, can act right now.

“People’s life savings can be wiped out in a matter of seconds by clicking the wrong link or providing your passcode to a bad guy,” said Robert Siciliano, a cybersecurity trainer who runs Protect Now. “I say that every email you get is a lie until you can prove otherwise.”


Siciliano says consumers are often too trusting of what’s landing in their inbox. He says never click on a link sent to your email until you can verify where it came from.


Next, set up alerts to proactively monitor your account.

“So, every single time there is some type of a transaction, you get a phone call, an email, or a text message to notify you that’s a push alert,” said Siciliano.


Use two-factor authentication, not just a singular password.

“That means a username, a passcode, and a one-time passcode that you generally get via text message,” said Siciliano.

Another option is biometric authentication, using your face or fingerprint for an added layer of protection beyond a password.


Be obsessive, Siciliano says, with your account security. Update your passwords at least once a year.

25 Investigates reached out to some of the major retirement management firms to see how they have reacted to this report.

A spokesperson for Vanguard, Carolynn Wegeman, sent us the following statement:

“Vanguard takes the protection of our client’s assets and sensitive information very seriously. We invest heavily in security measures, follow industry best practices, and employ advanced technology and rigorous online security standards to protect our clients and their data. Such practices include 24/7 cybersecurity monitoring, data encryption, network segmentation, and continuous investments in our technology and security measures. For more information about our cybersecurity program, as well as online security tips for individuals, please visit our Security Center on Vanguard.com, here.”

—  Carolynn Wegeman

Fidelity released a statement on what it’s doing to make sure clients’ accounts are secure, saying:

“Fidelity has an extensive range of safeguards and multiple layers of security in place to protect the security of customers’ accounts. By design, for security reasons, some of our protections are visible and some are not. Participants in retirement plans administered by Fidelity can learn more about how we keep their accounts safe here: https://nb.fidelity.com/public/nb/default/resourceslibrary_redesign/articles/onlinesecurityatfidelity

We also encourage customers to review the Online Security Tips issued by the DOL to learn about steps customers can take to safeguard their retirement accounts. The tips are available at https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/online-security-tips.pdf

We also offer a Fidelity Customer Protection Guarantee. Under the terms of the Guarantee, we will reimburse covered Fidelity accounts for losses due to unauthorized activity if we conclude that the activity occurred through no fault of the customer (or, for Workplace Investing customers, i.e., those in 401(k), 403(b) plans, etc., through no fault of the customer or their employer). For more information about the Guarantee and its coverage, please see https://www.fidelity.com/security/customer-protection-guarantee.”


This warning shouldn’t discourage consumers from establishing an online presence for their accounts, but Marinos says it’s quite the opposite.

“If one doesn’t create an online presence for themselves, a bad actor might, you know, spoof and pretend to be an individual to try to gain access,” Marinos said.