Cyberssecurity and Retirement Plans

What is Cybersecurity? From the oxford dictionary it is “the state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.” Cyberattacks, and Data breaches have become increasingly common and happen all too often in recent years. Data breaches have affected every industry, including the retirement industry.

Now more than ever, plan participants rely heavily on handheld technology such as a cell phone, with apps like apple and google pay, and apps that allow us all to login to our retirement accounts. In truth, these modern conveniences allow us to be more involved in our money and to keep track of budgets and retirement savings, but there are also many risks attached. The risks are even higher now that recordkeepers have allowed the budgeting tool, and the capital tools which allow participants to bring in outside accounts all in to one account for one global picture of their net worth. The risk with having outside accounts in your retirement plan platform is that more of your data is linked together, so if there is a breach, it has all accounts that are linked directly to it.

Cyber Concerns
Cybersecurity is a main concern for most plan sponsors because they have all your financial and personal identifiable information (“PII”) online in one database. in April 2021, on large part to address this, the U.S. Department of Labor (“DOL”) disseminated guidance to help enhance cybersecurity measures for retirement plans. The guidance was more directed to plan participants than it was for plan sponsors. However, even without DOL guidance plan sponsors should remain vigilant and properly monitor for cybersecurity risks.

There are numerous ways that plan sponsors should address these concerns. First, when selecting a recordkeeper, making sure that the recordkeeper of choice has proper encryption and security measures in place. Second, ensuring that your cybersecurity policy is adequate for your plan size and plan assets.

Personally, the best way that I manage to stay on top of all of the cybersecurity changes is meeting with my recordkeeper every year at an annual review, and hearing from their cybersecurity team on how they are protecting their data and ours. In these meetings we address the following: updated security practices and protocols, encryption protocols, any responses to breaches, any updates to their cyber liability insurance, and their recommendations for our insurance. My recordkeeper even gave me a great tip for personal security that I pass on to all my new hires and we share with participants – that is to use a password locker application which is encrypted and doesn’t sit in an unprotected section of your phone so it can’t be imaged and stolen.

How would a Human Resources professional be subjected to a cyber-attack? On almost any given day I receive a “phishing” email, and my organization has the ability to immediately report it, and it deletes from my view. Phishing is defined as when an attacker sends a communication that is fake and intended to trick the receiver into disclosing sensitive information. I am sure that most people like me receive them, and sometimes may think it actually is an employee, but we all have to be careful, especially Human Resources and Payroll representatives. The tips that I give my Human Resources team members are, keep your personal and corporate identities online separate, do not click on any links in emails or any attachments before verifying the sender, and never share sensitive information without encrypting it.

How do plan sponsors protect their plan participants from cybersecurity risks?
This answer is simple, having proper plan controls in place at all times. These plan controls are important and it includes who has access to the information for your plan participants, how it is collected, where it is stored, and how it is processed. These plan controls are in part important for your recordkeeper as well, because if they are diligent they are also making sure that there are protocols in place. If you have an ERISA plan and you undergo a yearly audit, the auditor should also ask you about your plan controls. These plan controls should include things such as plan admin access, payroll funding, participant data access, cybersecurity policies, etc.

What information is helpful to plan participants to safeguard against cyberattacks and data breaches? Regardless of the protection at the plan level, and the plan’s recordkeeper, the plan participant should always be diligent. Participants should never share their password, should periodically change their password, and should have a semi-complex password. Participants should also monitor their accounts and review their statements periodically for any activity that seems fraudulent. This is important, especially now with more auto-enrollment features – if participants are auto-enrolled into a plan and let it run on its own, and it could be months before they pick up a fraudulent transaction. Lastly, if possible, whenever possible, participants should use two-factor authentication on their retirement accounts, banking, and any sensitive information.

Conclusion
The best practice is to keep up to date with your recordkeeper’s IT security measures, and make sure that your own company IT security measures are adequate, and all staff are trained in data security that have access to plan and participant information.

Tracy Tillery is a member of PSCA's Leadership and Education and Communication committees.