Close
Mobile

A Fiduciary’s Guide to Retirement Plan Cybersecurity

As our world becomes increasingly digital, it’s essential that we remain vigilant in protecting important data. Cybersecurity is quickly becoming the number one concern for plan sponsors, even overshadowing concerns about underperforming investment options and participant’s saving rates. Across the industry, 7% of plan sponsors reported a cybersecurity breach within the past year, with the number increasing as the participant count and plan assets increase. With the risks of litigation, rising costs for maintaining high-grade security practices, and the potential impact to participant retirement outcomes, the implementation and ongoing review of best practices should be a priority.

According to the Employee Benefits Security Administration (EBSA), there were 29 million defined benefit plan participants and 126 million defined contribution plan participants with estimated combined assets of $12.4 trillion as of 2023. As estimated combined assets and plan participants increase, the risk of a cybersecurity breach increases. Without proper protection, participants and assets could be at risk from various cybersecurity threats. To address these issues, the Department of Labor (DOL) continues to update guidance for service providers, plan sponsors, fiduciaries, and participants. The updated guidance expands on the EBSA regulations regarding electronic records and disclosures to plan participants and beneficiaries. This includes provisions to ensure recordkeeping systems have controls, records management practices, and electronic disclosure systems that include measures to protect personal information. These guidelines should assist in reducing the risk of litigation and potential negative impact on participants. The following is included in the recently updated guidance:

Service Providers

The EBSA has prepared a list of best practices for the use of record keepers and other service providers responsible for plan-related IT systems and data:

  • Formal, well documented cybersecurity program
  • Prudent annual risk assessments
  • Reliable annual third-party audit of security controls
  • Clearly defined and assigned security roles and responsibilities
  • Strong access control and technical procedures
  • Ensure that cloud systems are being appropriately and periodically reviewed
  • Recurring cybersecurity awareness training
  • Implement and manage a secure system development life cycle (SDLC) program
  • Have an effective business resiliency program
  • Encryption of sensitive data
  • Timely responsiveness to cybersecurity incidents

Source: EBSA Cybersecurity Program Best Practices

Plan Sponsors

As sponsors of retirement plans, it’s important to prudently select and monitor each of your service providers. The EBSA put together the following tips for plan sponsors of all sizes:

  • Use service providers that follow strong cybersecurity practices
  • Ask about service provider’s security standards, policies, procedures, and audit results
  • Compare service provider’s practices to industry standards
  • Determine how service provider’s practices are validated and at what level
  • Avoid contract provisions that limit the service provider’s responsibility for breaches
  • Ensure contract provisions allow for audit results to be reviewed periodically Evaluate the service provider’s track record in the industry, including past incidents and litigation
  • Find out if the service provider has any insurance policies that would cover losses caused by breaches

Source: EBSA Tips for Hiring a Service Provider with Strong Cybersecurity Practices

Participants

Plan participants need to follow these basic rules to reduce cybersecurity threats:

  • Register, set up, and routinely monitor your online account
  • Use strong and unique passwords/passphrases
  • Use multi-factor authentication
  • Keep personal contact information current
  • Close or delete unused accounts
  • Be wary of free Wi-Fi
  • Beware of phishing attacks
  • Use antivirus software and know how to report cybersecurity incidents

Source: EBSA Online Security Tips

A lack of strong cybersecurity practices can become an issue that affects participants, plan sponsors, and service providers. Protecting important data requires that all parties take reasonable and appropriate measures. Conrad Siegel’s IT Team recently created a video which outlines our internal approach to Cybersecurity. If you are interested in viewing, log on to myconradsiegel.com and the video can be accessed under “Fiduciary Training”.

Your organization’s retirement plan is complex, full of ever-changing details, regulations, and oversight. We have built our reputation on understanding those complexities and helping plan sponsors build strong retirement plans. If you have any questions about this topic, please contact our team.