Handle with Care: 401(k) Cybersecurity

Even casual followers of the news know that the safeguarding of personal and sensitive data is a serious matter. And although the most publicized cases of people’s personal information being exposed are usually associated with big corporations, small businesses are by no means immune to information security breakdowns. An increasingly central aspect of a retirement plan sponsor’s fiduciary oversight is how they—and the service providers they contract with, such as recordkeepers or third-party administrators—protect employees’ sensitive personal data. In the past, fiduciaries may have treated cybersecurity as an afterthought, but especially with the Department of Labor recently casting a watchful eye, cybersecurity should be near the top of any retirement plan fiduciary’s priority list.

In April 2021, the Department of Labor provided new guidance to plan sponsors, plan fiduciaries, recordkeepers, and plan participants about cybersecurity best practices. This included tips that will help fiduciaries protect participants and assets that may be at risk from both internal and external cybersecurity threats. Visit the Department of Labor website to learn more.

Why Do 401(k) Cybersecurity Breakdowns Occur?

First, it’s helpful to become familiar with some of the most common reasons for cybersecurity breaches:
• Lack of awareness. Employees, whose job responsibilities require them to handle sensitive employee data, are often insufficiently trained on cybersecurity best practices. Investing in cybersecurity education is a worthwhile endeavor.
• Some vendors and service providers have insufficient cybersecurity policies. Remember, as a plan sponsor and fiduciary, among the most critical tasks you have are the prudent selection of service providers and the continuous monitoring of their performance, which includes their data security standards and protocols.
• Cyberthieves look for every possible advantage. Cyberthieves are increasingly clever, and they adapt to efforts to foil them at a lightning-fast pace. They frequently pose as people they aren’t—such as a service provider, employee, or beneficiary—to gain access to personal data or funds. Further, cyberthieves often target the data of small businesses. Why? Because they typically lack the resources and technology infrastructure of larger businesses and are an easier mark for cyberthieves.

Ask 401(k) service providers about their cybersecurity policies.

Reputable and established service providers (recordkeepers and TPAs) who offer retirement plan services to your company should have written information security measures that can be readily shared with clients. Before choosing to work with service providers, review their policies to ensure that they:
Have procedures for dealing with cybersecurity threats and the protection of your employee participants’ personal information.
Conduct risk assessments periodically to identify susceptibility to cybersecurity threats and the effect of potential business disruptions.
Conduct an annual, independent assessment of their cybersecurity systems and policies.
Employ a chief information security officer (or someone in an equivalent position).
Store, retain, and destroy sensitive data in a secure manner.
Have a business continuity and disaster recovery plan that includes the recovery of your company’s data after a breach.
Remember to document the interaction with your service provider and maintain the responses to add to your plan’s fiduciary file.
According to a U.S. Small Business Association survey, 88 percent of small business owners felt their business was vulnerable to a cyberattack. Review your internal 401(k) information security controls and procedures to stay ahead of these criminals and the potential cybersecurity threats they pose. If you’re unsure about where to start, contact us, we can help.