Let’s talk practical steps to help protect your employees’ and plan participants’ data protected while meeting all your fiduciary duties.

As a retirement plan sponsor, you’re juggling plenty of responsibilities. Investment oversight, fee monitoring, participant education… we could go on and on. But there’s another item we need to put on your plan priority list: cybersecurity.

If you’re thinking “cybersecurity is an IT issue,” you’re not alone, but you’re also not thinking broadly enough. Many plan sponsors assume data protection falls outside their wheelhouse. But when it comes to your 401(k) plan, cybersecurity is very much a fiduciary responsibility, and it’s one that can have serious consequences if you don’t address it properly.

Why cybercriminals target retirement plans

Retirement plans contain exactly the type of information cybercriminals value most. Think about the sensitive information stored in your plan’s database:

•       Social Security numbers
•       Birthdates
•       Salary information
•       Account balances
•       Beneficiary details

This treasure trove of personal and financial data represents a one-stop shop for identity theft and financial fraud.

The substantial assets held in retirement accounts also make them attractive targets. With the average 401(k) balance continuing to grow, and many accounts holding six-figure sums, the potential payoff for successful cyberattacks keeps increasing.

What the Department of Labor expects

The DOL has made it clear that cybersecurity falls squarely within plan sponsors’ fiduciary duties. The agency’s updated 2024 guidance confirms that all ERISA plans must have appropriate cybersecurity measures in place to protect participants and beneficiaries from cybercrimes.

This means that plan sponsors must exercise the same level of prudent oversight for cybersecurity as they do for investment selection and fee monitoring. 

Plan sponsor compliance isn’t just checking boxes; it’s demonstrating that you’re taking reasonable steps to protect participant information and plan assets. Let’s look at what you can do on that front.

Building your cybersecurity foundation

Effective cybersecurity requires a systematic approach and attention to key areas that can significantly reduce your risk. Your organization may have a cybersecurity plan in place already that you can add 401(k) protections to. 

Protections and steps like:

•       Protecting data. Encrypt participant information and require multi-factor authentication.
•       Training employees. Teach them to spot phishing, use strong passwords, and report issues.
•       Planing for incidents. Have a response plan to minimize damage and show your commitment to safeguarding participant data.

Monitor service providers carefully

Most plan sponsors rely on recordkeepers, payroll companies, TPAs, and other providers. Since these vendors have access to participant data, their cybersecurity practices directly affect your plan’s exposure to potential risks.

When choosing a vendor, ask specific questions. Check their security measures, certifications, and incident handling. Don’t hesitate to ask the tough questions; your fiduciary duty requires this level of due diligence.

Your HFM team welcomes this conversation. If you’d like to schedule a chat to talk through our processes, policies, and security measures, you can by clicking here.

Keep tabs on your providers’ security through regular updates and audit report reviews to help confirm they have proper protections in place. Make sure your service contracts include clearly-defined cybersecurity requirements and detailed notification procedures for any security incidents.

Developing your cybersecurity policy

A well-documented cybersecurity policy provides detailed guidance for employees, demonstrates your commitment to data protection, and can be valuable evidence of prudent fiduciary oversight.

Your cybersecurity policy should include these essential action components:

•       Define what constitutes sensitive plan data and how it should be handled.
•       Specify who can access plan systems and under what circumstances.
•       Outline mandatory cybersecurity training and ongoing education.
•       Establish minimum security requirements for all service providers.
•       Detail steps to take when a security incident occurs.
•       Schedule periodic reviews and security updates.

Creating a culture of cybersecurity awareness

But a plan must be practiced to be effective. It’s not enough to have it written down and tucked away. Effective cybersecurity requires buy-in from your entire organization. Leadership support demonstrates the importance of data protection and helps allocate resources for security initiatives.

Regular communication about cybersecurity threats and best practices helps to promote security awareness.

•       Send reminders about common threats.
•       Recognize employees who report suspicious activity.
•       Update staff on new security measures.

When cybersecurity becomes part of your culture, your potential risks decline significantly.

Taking the next step

Implementing cybersecurity measures and staying current with evolving regulatory requirements may seem daunting, but keep in mind that you don’t have to go it alone. We work alongside our clients as fiduciary representatives and collaborative plan administrators. And we’re always here to help you develop or update your plan protections.

Start by honestly assessing your current cybersecurity practices. Review your existing policies, evaluate your service providers’ security measures, and identify any obvious gaps in protection. Then sit down with your IT and leadership team to plan out the best protections for your compliance needs.

 

102 WEST HIGH STREET, SUITE 200

GLASSBORO, NJ 08028

HFM Investment Advisors, LLC is a registered investment adviser. All statements and opinions expressed are based upon information considered reliable although it should not be relied upon as such. Any statements or opinions are subject to change without notice. Information presented is for educational purposes only and does not intend to make an offer or solicitation for the sale or purchase of any specific securities, investments, or investment strategies. All investments involve risk and are not guaranteed. Information expressed does not take into account your specific situation or objectives and is not intended as a recommendation appropriate for any individual. Listeners are encouraged to seek advice from a qualified tax, legal, or investment advisor to determine whether any information presented may be suitable for their specific situation. Past performance is not indicative of future performance.

©401(k) Marketing, LLC. All rights reserved. Proprietary and confidential. Do not copy or distribute outside original intent.