By Mark Olsen, Managing Director at PlanPILOT
While October is recognized as Cybersecurity Awareness Month, the topic deserves attention year-round. For retirement plan sponsors, creating and maintaining an incident response plan is a critical fiduciary responsibility. It involves developing procedures for handling breaches, learning from real-world examples, and training internal teams and committee members on cybersecurity awareness.
At PlanPILOT, we are all too aware of the havoc a cybersecurity breach can cause to operations and participant confidence. Implementing a sound and effective plan to combat cyberattacks and preserve sensitive participant and plan information can not only boost employee morale and confidence, but also demonstrate fiduciary responsibility as a plan sponsor.
Let’s take a look at how such a Cybersecurity Response Plan might be implemented.
Steps for Creating and Maintaining an Incident Response Plan
According to the Department of Labor (DOL) and cybersecurity experts, a robust incident response plan (IRP) follows these steps:
1. Preparation
- Create a formal cybersecurity program: Document your policies and establish a clear plan. Require senior management and response teams to review and clearly understand these policies and procedures. Have the “manual” readily available for review and retrieval when requested in an audit.
- Conduct risk assessments: Annually identify and address vulnerabilities in your IT systems, including those of third-party vendors. Work with IT consultants who have up-to-date knowledge of ever-changing cyber threats and breach techniques.
- Establish an incident response team: Define roles, responsibilities, and authority levels for a dedicated team (also known as a Computer Security Incident Response Team, or CSIRT) that can act swiftly.
- Identify and categorize incidents: Define what constitutes a cybersecurity incident for your organization based on severity and potential impact.
- Define communication protocols: Create procedures for internal and external communication with stakeholders, including participants, regulators, and legal counsel. Some P&C insurers will require inclusion in communications if claims for breaches are part of covered risks.
2. Detection and analysis
- Monitor systems: Use monitoring tools and alert systems to detect potential security incidents. Schedule and document regular testing of such systems.
- Validate potential threats: Thoroughly investigate and confirm whether a detected event is a real security incident.
3. Containment, eradication, and recovery
- Contain the breach: Implement response protocols to quickly isolate affected systems and limit the exposure of data.
- Engage experts: Bring in cybersecurity and forensics professionals to help remediate the breach.
- Remove the threat: Eradicate the root cause of the incident, such as malware or unauthorized access, and patch vulnerabilities.
- Recover and restore: Restore systems from clean backups and resume normal operations as quickly as possible.
4. Post-incident activities
- Conduct a blameless retrospective: Document the full incident timeline and analyze the effectiveness of the response.
- Update the plan: Learn from the incident to improve the IRP and overall security posture. Revise the plan annually or after any significant organizational change.
- Document and report: Create detailed incident reports for legal and regulatory purposes.
Examples of Breaches and Lessons Learned
Recent breaches targeting retirement plans and associated third-party vendors offer valuable lessons for plan sponsors.
- JP Morgan Chase data breach (2024): A software flaw exposed the personal information of over 451,000 retirement plan participants for an extended period. JP Morgan Chase is not only one of the world’s largest banks, but also a financial powerhouse, subject to scrutiny and cybersecurity regulations in banking and securities trading.
- Lesson: Vulnerabilities in systems and third-party software can lead to data breaches even without a direct cyberattack. Regular, thorough security reviews of all software are essential.
- MOVEit cyberattack (2023): Vulnerabilities in a third-party file transfer tool led to breaches at several public pension systems and major recordkeepers, affecting millions of individuals.
- Lesson: Third-party vendors are a major source of risk. Plan sponsors must conduct strict due diligence on all vendors and maintain robust security controls.
- Account takeovers: Criminals are increasingly aware that retirement plans are a valuable target. They use stolen participant data to take out unapproved loans or redirect funds.
- Lesson: Encourage participants to use strong, unique passwords and multi-factor authentication. Plan sponsors should also invest in modern fraud surveillance systems.
Training Internal Teams and Committee Members
Effective training can significantly reduce the risk of a breach and improve a plan’s response. The training should be tailored to the audience and provided regularly.
- Regular awareness training: Educate all staff on how to recognize phishing emails, social engineering tactics, and other common threats.
- Phishing simulations: Conduct regular phishing tests to measure employee vulnerability and reinforce lessons learned from training.
- Data handling protocols: Train employees on how to securely handle sensitive data, use corporate devices, and access plan information.
- Breach action plan: Train teams on their specific roles within the incident response plan, including detection, containment, and notification procedures.
- Best practices: Promote strong passwords, use of multi-factor authentication, and vigilance against suspicious communications.
For Retirement Plan Committee Members
- Understand fiduciary duty: Train committee members on their fiduciary responsibility for protecting plan assets and participant data.
- Address key risks: Educate the committee on the specific cybersecurity risks facing the plan, including third-party vendor risks and account takeovers.
- Review and approve policies: Train committee members on how to evaluate and approve the plan’s cybersecurity policies and incident response procedures.
- Discuss vendor controls: Review Service Organization Control (SOC) reports and other security audits from recordkeepers and other vendors.
- Conduct tabletop exercises: Simulate a breach scenario with the committee to test the incident response plan and evaluate decision-making under pressure.
In today’s fast-changing world of technology, cybersecurity and guarding against attacks on company IT systems is not only critical to protecting company information and operations, but an essential part of robust fiduciary responsibilities for retirement plan sponsors.
Plan sponsors interested in upgrading or implementing a cybersecurity protection and response plan would be wise to work with qualified benefit consultants who can offer customized plan design tailored to company objectives and resources as well as a good match with participant goals and demographics.
Is Your Company Retirement Plan Protected Against Cyberattacks?
Are you ready to upgrade to a new standard for your benefit planning and company retirement plan? Reach out to us at (312) 973-4913 or send an email to mark.olsen@PlanPILOT.com to learn more about how we can customize our services and your plan to fit your unique needs.
About Mark
Mark Olsen is the managing director at PlanPILOT, an independent retirement plan consulting firm headquartered in Chicago. PlanPILOT delivers comprehensive retirement plan advisory services to 401(k), 403(b), and 457 plan sponsors. His specialties include plan governance, investment searches, investment monitoring, and plan oversight. Mark is recognized as a leader in the industry and speaks at national conferences, including those organized by Pensions & Investments, and CUPA-HR.