Your company’s retirement plan is a valuable benefit that can help you attract and retain the best and brightest talent. Unfortunately, that value is exactly what makes it a tantalizing target for cybercriminals.
Security is No Accident
Cybercrime is like a natural disaster: no one can stop the hurricane, but preparedness is key to surviving its aftermath. Just as you have policies and procedures in place for plan investments, expenses, and operating the plan, you also need to establish a strategy for protecting your plan’s data and assets.
As a plan sponsor, your fiduciary duty requires you to protect plan assets as well as sensitive employee information. This isn’t a burden you have to shoulder alone, though: in addition to helping you manage your plan, your chosen plan providers should also share the responsibility of protecting it.
Reviewing Service Provider Agreements
A thorough evaluation of cybersecurity policies, procedures, and processes of plan providers should be part of every plan's annual vendor review. Service agreements should include a section specifically addressing cybersecurity. The ERISA Advisory Council recommends the following questions regarding data protection when evaluating service providers:
- Does the service provider have a comprehensive and understandable cybersecurity program?
- What are the elements of the service provider’s cybersecurity program?
- How will plan data be maintained and protected?
- Will the data be encrypted at rest, in transit, and on devices, and is the encryption automated (as opposed to manual)?
- Will the service provider assume liability for breaches?
- Will the service provider stipulate permitted uses and restrictions on data use?
- What are the service provider’s protocols for notifying plan management in the event of a breach, and are the protocols satisfactory?
- Will the service provider agree to regular reports and monitoring? If so, what will they include?
- Does the service provider regularly submit to voluntary external reviews of their controls (e.g. SOC reports)?
- What is the level and type of insurance coverage that is available?
- What is the level of financial and fraud coverage that protects participants from financial damage?
- If the service provider subcontracts to others, will the service provider insist on the same protections noted above in its agreement with the subcontractor?
- What controls does the service provider have in place over physical assets that store sensitive data (servers, hard drives, mobile devices, etc.), including when such assets are retired or replaced?
- What are the service provider’s hiring and training practices?
Your employees can also take preventative measures to mitigate risk to their personal information and plan assets. Phishing scams, malware, and other attacks can all provide means by which hackers can compromise your employees’ digital security and steal from their accounts. Consider hosting an educational meeting focusing on cybersecurity tips for retirement plan participants.
With a little tech savvy and some common sense tips, it’s easy to thwart cyberattacks before they even start. Here’s some valuable advice to share:
- Regularly check accounts for unauthorized activity.
- Protect passwords and login information. Participants should choose strong passwords, change them regularly, and avoid accessing retirement savings accounts using shared computers or open Wi-Fi networks.
- Stolen hardware means stolen information. Protect laptops and other devices with encryption.
- Participants should be instructed to read plan-issued materials and keep their contact information up to date. Accurate contact information ensures they can be contacted as soon as possible in the event of a data breach so they can take immediate action.
- Consolidate retirement savings when changing jobs. Fewer open retirement saving accounts means reduced odds of exposure to a data breach.
Cybersecurity is everyone’s responsibility.
As part of our commitment to act in our clients’ best interests, we take your plan security seriously. We believe that proactive measures can help protect you, your organization, and your participants from the ongoing challenges of cyber threats.
We take precautions to keep your plan data secure by storing sensitive information in an online fiduciary vault and using encrypted emails.
While the threat is real and cannot be prevented, awareness is key, that is why we take full advantage of LPL training and compliance programs as well as deliver tips and updates on how to protect your most valuable employee benefit.
This information was developed as a general guide to educate plan sponsors. It is not intended as authoritative guidance or tax or legal advice. Each plan has unique requirements, and you should consult your attorney or tax advisor for guidance on your specific situation.