Are Your Investment Accounts Safe From Hacking?

In the wake of the recent Equifax scandal, you might understandably be jittery about the safety of your money and your personal financial information.

A lot has been written about what you can do to prevent hackers from opening new accounts and new lines of credit in your name. But a lot less has been written about protecting the money you’ve already saved and invested.

Specifically, how safe is the money inside your retirement accounts? How is that money protected from hackers? And what can you do to make sure these accounts are secure?

These are big, important questions given that you’ll have to rely on this money to support you in retirement. And in this article we’ll answer those questions so that you know exactly what to do to keep your retirement accounts safe.

How Safe Are Your Retirement Accounts?

Here’s the good news: Your retirement accounts are generally pretty difficult for hackers to access, especially when you haven’t yet reached retirement age.

A 401(k) or other employer retirement account is particularly unlikely to get hacked. Here’s why:

  1. Many 401(k) plans do not allow in-service withdrawals, meaning it’s next-to-impossible for anyone, including you, to get money out while you’re still working there.
  2. Even if in-service withdrawals or loans are allowed, there’s a lot of paperwork that needs to be filled out and verified before any money can be taken out.
  3. Even if you’re no longer working for the company, there are a number of waivers you would have to sign in order to withdraw the money before eligible retirement age.
  4. Even if you’re no longer working for the company AND you are of eligible retirement age, many custodians require you to sign forms verifying your age and acknowledging the tax implications of your withdrawal.

All of which is to say that there are many hurdles that have to be cleared before any money can be withdrawn from your 401(k), and it’s unlikely that a hacker would even be willing to try, let alone succeed.

IRAs are slightly less protected simply because there’s no restriction on in-service withdrawals like there is with a 401(k). But most of the other same hurdles apply, such as waivers for withdrawals before retirement age and verification of age and tax implications once you do reach retirement age.

And regular investment accounts are slightly more vulnerable since there are no age restrictions around accessing the money. But even then, Jeff Snodgrass, a financial planner and the founder of Mindful Wealth in Du Quoin, Ill., urges people not to worry.

“If you’re at a reputable custodian,” Snodgrass says, “they’re bending over backwards to protect you. The custodian is usually the strongest link in the equation.”

The bottom line is that the money in your retirement accounts is difficult to access, particularly before eligible retirement age. It’s not impossible, and below we’ll talk about some steps you should take to make it even harder on potential hackers. But by and large your retirement money is fairly safe.

Financial Advisors Can Pose a Risk

Ironically, the two financial planners I spoke with both noted that advisors can actually pose the biggest risk to your retirement money.

Snodgrass recounted three separate occasions in which his client’s email had been hacked, and the hackers had emailed him requesting a withdrawal. Luckily he called his clients to verify the withdrawals before proceeding — but if he hadn’t, the clients would have been liable for their losses.

“You need an advisor who understands that they are the weakest link,” Snodgrass says. “If your email is hacked and the hacker asks your advisor to make a withdrawal, the custodian is not liable because it counts as an authorized transaction.”

Snodgrass recommends protecting yourself by documenting with your advisor, in writing, that you will never request certain types of transactions by email. You can also request that your advisor verify any withdrawal requests over the phone before completing the transaction.

Neal Frankle, CFP®, the editor of, argues that you’re much more likely to be scammed by a broker than you are to have money stolen out of your retirement accounts.

“The much greater threat is falling for some story by some charlatan who sells you on some pyramid scheme,” Frankle says. “Brokers will convince you to invest in their project, get you to convert your funds, and then the money is gone.”

Frankle says that you can protect yourself from such scams by only ever investing in traded securities – like public mutual funds, ETFs, stocks, and bonds – and by never writing a check directly to your broker. Checks should only ever be made out to your custodian, where the money will be deposited.

Can You Get Reimbursed If You Are Hacked?

What if the unlikely happens – if your retirement accounts are hacked, and your money is stolen? Are you able to recover the money you lost?

The short answer is “yes, probably,” but the long answer is a little more complicated.

Most retirement and investment accounts are covered by SIPC insurance, which will reimburse you up to $500,000 if your brokerage firm fails. And while this protection is valuable, it explicitly DOES NOT protect you against theft or fraud.

However, most brokerage firms do have policies stating that they will reimburse you for any amounts lost to “unauthorized activity” as long as you take some basic precautionary steps. These steps vary from firm to firm, but generally include the following:

  • Creating strong passwords and security questions
  • Keeping your login and account information private
  • Keeping contact information up to date
  • Monitoring your accounts, statements, and transaction confirmations on a regular basis
  • Notifying the brokerage firm promptly of any suspicious activity
  • Cooperating with the brokerage firm during any investigation of suspicious activity

For example, you can see Vanguard’s policy here, Schwab’s policy here, and TD Ameritrade’s policy here. You should also be able to look up your current custodian’s “fraud policy” by Googling it.

Long story short, while it’s unlikely that your investment accounts will ever be hacked to begin with, if they are hacked you’ll likely be reimbursed as long as you notify the brokerage firm quickly and cooperate as they look into the issue.

Steps You Can Take to Protect Yourself

While there are already a number of hurdles any hacker would have to clear before being able to access your retirement accounts, there are a few steps you can take to make it even harder for them.

You can start with the above list of steps generally requested by brokerage firms. That is, creating a strong password, not sharing sensitive personal information, regularly monitoring your accounts, and notifying your brokerage firm immediately if you notice anything that looks suspicious.

Snodgrass notes that your password alone is one of the best ways you can protect yourself, and he encourages people to use password managing software as well.

“The best password is a long password,” Snodgrass says. “And password software is absolutely essential. There’s no good way to maintain unique, long passwords for all the places that you’re asked to do it on your own.”

As far as keeping tabs on your account activity, Frankle notes that retirement account statements can be baffling even for the smartest of us and he encourages people to ask for help.

“It’s not your fault if you don’t understand your statement,” Frankle says. “Don’t be intimidated about getting someone at the brokerage firm to explain it to you. You need to make sure you understand your statements and you have every right to ask for help.

For an extra layer of protection, Frankle also recommends asking your broker to call you to confirm every single withdrawal request as an extra layer of protection. He says that not every custodian will be able to accommodate this, but many will and it never hurts to ask.

Beyond that, both Snodgrass and Frankle repeated multiple times that people should generally not worry about the safety of their retirement accounts.

“I haven’t ever seen it happen where a clients’ retirement account is hacked,” Frankle says. “It’s just not likely.”

The Bottom Line: Your Retirement Accounts Are Safe

When it comes down to it, your retirement accounts aren’t 100% hack-proof, but they’re about as safe as it gets.

Really, the biggest threat to your money is your own behavior. As long as you use strong passwords, keep your account information private, monitor your accounts on a regular basis, and avoid shady financial advisors, your retirement money is relatively safe and sound.

Matt Becker, CFP® is a fee-only financial planner and the founder of Mom and Dad Money, where he helps new parents take control of their money so they can take care of their families. His free book, The New Family Financial Road Map, guides parents through the all most important financial decisions that come with starting a family.

Related Reading: 

Matt Becker

Contributor for The Simple Dollar

Matt Becker, CFP® is a fee-only financial planner and the founder of Mom and Dad Money where he helps new parents take control of their money so they can take care of their families. His free time is spent jumping on couches, building LEGOs, and goofing around with his wife and their two young boys.