Advancements in technology have now made it possible to instantly and conveniently access online accounts to retrieve personal information, such as retirement plan savings data. As smartphones and other devices make it easier to obtain electronic documents, plan participants expect to have instant access to their retirement plan records. Yet, security is paramount in this new era, and retirement plan cybersecurity is especially vital. Any electronic recordkeeping today raises cybersecurity concerns and presents new risks for plan sponsors and their participants. It is no longer an issue of if a problem may arise, but likely when it will arise. Learn the risks as well as pertinent precautionary measures on how to protect your plan participants.
Importance of Cybersecurity
Based on data from Javelin Strategy & Research, 2017 cyberattacks resulted in 16.7 million identity frauds resulting in $17 billion in losses. While this explosion of cyberattacks is not specific to retirement plan participants and their retirement assets, they make very tempting targets because so much information about retirement plans and benefits are available electronically. Significant amounts of personal data can be hacked by criminals and/or bots, including social security number, date of birth, compensation, and banking information.
Increasing Cyber Threats
Corporate cybersecurity is no longer as simple as monitoring for email phishing schemes or wire transfer frauds. Digital threats can now come from multiple sources, including employees’ own personal devices. Any equipment or device that can connect online has the potential to harm or invade an organization’s server. Cyber risks can also be remotely based, for instance, an individual hacker or group invading an organization’s system to access and steal information. There are various types of cyberattacks on retirement plans. However, it only takes one breach to wreak havoc on a company and could consequently result in losses and fees for lawsuits brought on by plan members, as well as state and federal fines.
Fiduciary Duty
Plan contributors have worked hard to earn and accumulate these investments. That makes establishing a protection plan even more vital. Plan sponsors have a fiduciary requirement to act in the best interest of plan participants and to protect plan assets. This includes selecting and monitoring all service providers with access to plan data and safeguarding against potential malicious data breach. In addition, ERISA requires plan notices distributed electronically to have protection against unauthorized access to confidential information. Failure to do so may result in a breach of fiduciary duty and subject a plan sponsor to costly legal actions.
Managing Access to Participants’ Data
One of the challenges for retirement plan cybersecurity is the number of parties who have access to sensitive and confidential data. Outside of the plan participants themselves, other channels that have access to such data include:
- Plan Sponsor or Employer (e.g. HR employees)
- Account Custodian
- Recordkeepers
- Other third-party providers (e.g. managed account provider), but with limited access
These various channels are potential points of attack, which can leave you and your participants open to exposure. Minimizing these loss exposures is possible with the right threat assessments and ongoing risk prevention and mitigation protocols. It is important for plan fiduciaries, sponsors and other service providers to ensure that they have stringent security measures implemented within their respective digital infrastructure to protect participants from potential cyberthreats.
Maintain a Strategy to Protect Participants
The best way to secure plan participants’ information and assets is to establish an effective cybersecurity strategy. When operating under the assumption that any plan can be hacked, you can prepare appropriately. Organizational policies and training will ensure cybersecurity understanding and consistent practices across the board.
The most effective cybersecurity strategy includes both a prevention plan as well as a response plan of action against a breach. Some of these aspects include but are not limited to:
- Establish cybersecurity governance policies and procedures
- Implement security systems and software with routine maintenance and updates
- Control and limit data access to only those who perform plan functions
- Conduct company-wide cybersecurity training
- Plan participant education to advise best practices for a secure account, e.g. two-factor authentication
- Employee training to address how to handle sensitive financial information and potential risks, e.g. suspicious emails, phone calls or activity
- Ensure high-end encryption for the transference of data
- Create protocol for destroying old documents, files and hard drives
- Delegate risk management responsibilities to a team or individual(s) within your organization
- Contract an outside firm to implement cybersecurity measures
- Obtain cyber liability insurance to avoid costly payouts in event of a breach
Let PlanPILOT help
Prevention is the most important step in retirement plan cybersecurity. The concern is no longer if your business will have a cyberattack, but how to protect retirement plan participants when it likely does. However, working to protect retirement plans on your own can be a challenge. PlanPILOT is an innovative consulting firm that understands these types of complex issues. We are vigilant about keeping plan sponsors and plan participants safe from cyberattacks. Call us today at (312) 973-4911 or email info@planpilot.com to see how we can help you and your employees protect their retirement plans from cybersecurity attacks.