Small Missteps Can Lead to Data Breaches

Cybersecurity threats are increasingly more sophisticated and dangerous. For retirement plan sponsors, the need to understand the scope of the risk is as critical as the protocols and best practices used for prevention and defense.

Employers must protect themselves against many types of threats. Though important, reducing the possibility of an employee's mistake cannot be the only thing protecting their savings from a criminal. And simple firewalls are not sufficient or enough to satisfy industry standards. Here are some simple tips employers and their employees, in coordination with the data security team, can require to further protect financial privacy:

• Offer ongoing cyber security training to all employees throughout each calendar year.
• Set up an “IP safe listing” that restricts system access to only approved networks.
• Encrypt all emails that contain personal information.
• Require Employees to log-in only from an authorized computer on the company’s network.
• Provide recordkeepers with multiple points of contact and require multifactor authentication to log into any Employee account.
• Strongly encourage that Employees routinely access their retirement account online and review it periodically. Employees may believe their retirement plan account may remain safer if they don’t log in. However, accounts are already online, so if an employee doesn’t claim theirs, it becomes easier for a criminal to claim it on their behalf.
• Both employers and employees need to immediately notify their recordkeeper if they believe their account or identity has been compromised. A recordkeeper will then take steps to mitigate a compromised identity, including providing additional security measures and account monitoring.

While cybersecurity is something that every plan sponsor, fiduciary, and service provider should consider necessary, the strategy should be customized to fit each plan’s particular needs and circumstances. There is no “one size fits all strategy” for preventing threats that continually evolve. The following are some suggested actions:

• Implement a structured recordkeeper due diligence process.
• Work with your recordkeeper to provide cybersecurity education to employees.
• Check your fiduciary liability policy to confirm that it covers cybercrime for your retirement plan.
• Review the indemnification language in your vendor agreements.
• Document everything related to your cybersecurity due diligence process.
• When reviewing recordkeepers, ensure you understand what technology and protective measures are used to protect employee data. 

Given the amount of sensitive data and asset information maintained and shared across various parties in administering retirement plans, raising awareness about cybersecurity risks and the benefits of developing a prudent cybersecurity risk management strategy is essential. Contact a financial professional at AssuredPartners Investment Advisors for additional information.

 

Sources: 

• Empower Retirement, “Cybersecurity: Defense in Depth”
• NAPA, “Cybersecurity and Retirement Plans: What Plan Sponsors (and Advisors) Need to Know”
• DOL, “Cybersecurity Considerations for Benefit Plans”