As a fiduciary, you are responsible for maintaining and overseeing your organization’s retirement plan. One of these key responsibilities is ensuring that your plan and participant data are protected from cyber threats. With more information being stored online, hackers have expanded their targets and are now aiming at 401(k) plans and data to gain access to personal information and retirement savings. Your employees have spent years saving for their future, so it’s critical to establish robust security protocols to make sure your employee’s plan information and private data are safe and out of the hands of criminals. How do your security procedures stack up? Here are several cybersecurity measures that your organization should implement if not already:
1. Develop and document a cybersecurity program that’s specific to your company and employee data. Routinely evaluate it to ensure it remains relevant. Hackers are continuously evolving their methods to gain access to private information, so it’s important that your plan evolves along with them. Creating an effective program has many facets but a couple of key ones include assigning designated roles and responsibilities for managing plan data and security, and ensuring a business continuity plan is part of your program. This is everything from who handles payroll information, who handles qualified domestic relations orders (QDROs), who handles loans and distributions, and who will fill in if someone is out sick or on vacation. Nowadays, a lot of your retirement plan providers (Recordkeepers and Third-Party Administrators) will handle many of the administrative functions for you. In the event they don’t, you should have a plan in place and the individuals responsible for those functions be fully trained and aware of the security measures and best practices for data security. If something catastrophic were to occur, your business continuity plan should include disaster recovery and incident response so that your team is prepared and knows what actions to take based on their roles.
2. Conduct risk assessments and third-party security audits. Technology risks, much like hacker’s strategies are always changing so it’s important that your plan stays on top of those risks and that your third-party vendors do too. Most retirement plan providers will have Soc 1 and Soc 2 information available, you just need to ask to see it. These reports will outline their internal controls and procedures.
3. Implement strong procedures around internal, access and technical controls for your plan. Only your designated team members should have access to plan information, so ensure that measures are in place that prohibit others from gaining access. Limit the number of employees that have access to your recordkeeper’s website for plan administration. For technical controls, consider using firewalls, continual patch management and network segregation.
4. Ensure that all private data within your plan is encrypted when being sent to plan participants or third-party vendors.
5. Regularly train your employees on cybersecurity threats and red flags. Your plan participants are your first line of defense against hackers and should be properly trained to identify a potential attack. Training should not be a one-and-done task during the onboarding process, it should be routinely taken and required to ensure that employees understand that they play a key role in defending their plan information. Some tips for training your employees include encouraging them to use strong, unique passwords or better yet, passphrases, using multi-factor authentication wherever possible to add an extra layer of protection and watching out for phishing attacks.
6. One final tip is to make sure you encourage any new employees that will be entering your retirement plan, to log in to the recordkeeper website to set up their account and establish the proper security measures. If retirement plan participants don’t create their accounts, that is an open door for hackers to create the account for them using personal information that can be obtained through social engineering. This is something retirement plan providers cannot necessarily prevent despite their best efforts.
The measures listed above require time, effort, and expertise to ensure that they are as robust as possible. As a fiduciary, it’s standard practice that you have the knowledge and understanding to best manage your organization’s 401(k) plan. If cybersecurity does not fall under your areas of expertise, it’s highly recommended to partner with an IT security provider who can step in and implement a strong cyber security program that meets your organization’s needs.
In addition to offering retirement plan advisory services, we also provide managed IT services and regularly partner with clients to identify potential gaps and create a security program that best addresses them for the future.
If you have questions regarding what our services can do to protect and maximize your plan, we would be happy to discuss this further. Let’s have a conversation!