Trillions of dollars are held in US retirement accounts, according to the Investment Company Institute. This tremendous value in assets is a tempting target for those seeking to compromise personal data or gain access to these accounts. And with plan participants becoming increasingly reliant on mobile apps and online platforms to access and monitor their retirement funds, it seems that more cyberattacks on retirement plans are inevitable in our digital world. Plan sponsors and their fiduciaries should consider taking proactive steps to protect their participants and their plan assets. We review retirement plans cybersecurity best practices that plan sponsors should consider to adhere to safeguard against cyberattacks.
Common Threats to Retirement Accounts
According to the Society for Human Resource Management (SHRM), the two most common attacks retirement accounts face include:
- Theft of personal identifying information (PII), which ultimately leads to identity theft; and,
- Theft of a participant’s funds, through fraudulent transactions and schemes.
These attacks, coupled with the common ways in which an individual’s data is compromised and used fraudulently online (i.e. malware, phishing schemes, ransomware, etc.) has contributed to overall loss due to cyber crimes of $600 billion per annum, according to software security expert McAfee.
Retirement Plan Cybersecurity Best Practices
Best practices for plan sponsors and other fiduciaries responsible for retirement plan assets should entail the following:
1. Create a Prevention Plan.
One of the first steps in effectively securing your retirement plan is establishing cybersecurity policies and procedures for preventing or reducing cyber risks. In this plan, it is crucial to include the following factors:
- Identify what data can be exposed, where and how it can be accessed and who has access to this sensitive information. It is important to control and limit data access to only those who perform plan functions.
- Put policies in place to protect the data and safeguard from potential threats. This can be physical and virtual protection including, encrypting data transfer, implementing security software to monitor against potential threats, deleting old files or hard drives, and conducting routine training to fiduciaries and participants.
- Establish who or how to detect a security breach. Designate a person, team or third party to handle the situation upon a breach.
2. Create a Strategy for Incident Response
Plan sponsors should develop an incident response plan in the event of a cybersecurity attack. Once an attack is identified, the response plan should outline the steps that will be taken to assess the attack, addressing it to the organization and the employees, and any actions required based on the attack. It is important that the plan is developed with appropriate buy-in from every level of the organization. The plan needs to identify the roles as well as specific responsibilities of those key employees identified in a rapid response scenario.
3. Develop a Communication and Training Program for Plan Participants
Many security breaches are unintentionally caused by employees. Plan sponsors should develop a program for educating plan participants about the types of cyber security risks, how to prevent them, and what they should do or expect upon a breach. We recommend:
- Creating an outline of the types of risks plan participants can face. Those risks should be clearly communicated to participants and updated frequently, as new risks are identified and deployed.
- Creating documents for plan participants outlining how to protect their accounts and data, e.g. choosing strong passwords, ensuring they are on a secured network, etc.
- Conducting regular cybersecurity trainings for employees in addition to participants or individuals that perform plan functions. Topics to address can include:
- Types of cyberattacks
- Password security & two-factor authorization
- Regular monitoring of accounts for fraudulent transactions
- How to handle sensitive information
- Types of suspicious emails, calls or activities
How PlanPILOT Can Help With Retirement Plan Cybersecurity
We recognize the growing reliance on data platforms by financial services firms invites a greater potential for risk, including the breach of retirement account data and the loss of assets. A recognition of this risk requires plan sponsors and other retirement plan fiduciaries to have in place strategic plans for mitigating such risk. We can assist in developing and maintaining best security practices which, along with others developed over time in the wake of serious data breaches and loss experienced throughout the industry, provide effective deterrence and remedial procedures. These still may not be enough to completely deter a cyberattack or attempts by those with an illegal intent from gaining access to your retirement accounts in this ever-expanding risk environment. A proactive, affirmative recognition of the potential risk and steps taken to mitigate that risk will go a long way to minimize the impact of such attacks and the resulting damage, both in terms of financial loss and loss to your reputation as a fiduciary.
PlanPILOT is an innovative consulting firm that understands these types of complex issues. We are vigilant about retirement plans cybersecurity and keeping plan sponsors and plan participants safe from cyberattacks. Call us today at (312) 973-4911 or email info@planpilot.com to see how we can help you and your employees protect their retirement plans from cybersecurity attacks.
Great post! Thanks for sharing the knowledge and keep up the good work.