It seems that most employees and plan participants “think” their retirement money and data are not at risk. This is due, in part, because:
- there are few published incidents of breaches or potential hacks;
- there has been not a single legal decision involving a cybersecurity breach and a retirement plan; and
- there is no comprehensive federal regulation that protects qualified retirement plans and service providers.
This blog discusses whether retirement plans are really at risk; and if so why. It concludes with some helpful hints and practical advice to reduce such risks, some of which are tips employers (or plan sponsors) can share with retirement plan participants.
Are qualified retirement plans really at risk?
Absolutely. As is the case with all organizations and individuals, everyone is exposed to security risks and fraud. However, there are unique characteristics that make retirement plans attractive targets. For example:
- The electronic environment in which they operate;
- Electronic benefit plan information includes sensitive employee information that is often shared with multiple third parties (e.g., trustees, actuaries, third party administrators (TPAs) and investment advisors);
- Benefit Plans generally fall outside the scope of employer general cybersecurity planning;
- Benefit Plans are not regulated in the same manner as other businesses that handle personal data;
- Sponsors, plan administrators and employee plan participants often have a false sense of security that so-called “anti-virus” and “anti-spam” software as well as “passwords” and other authentication methods protect them; and
- There are few reported cyber incidents and no case law.
What kind of information (and assets) “precisely” is at risk?
Retirement plans are particularly at risk for cybersecurity incidents because of the nature of the data maintained in connection with employer and third party administrator intranet and websites. For example, the electronic data maintained by employers and TPAs includes:
- Personally identifiable information (PII) such as social security numbers, dates of birth, beneficiary information and e-mail addresses. This information is very valuable to cybersecurity hackers as it is permanently associated with an individual unlike a bank account or credit card number that can be changes or cancelled.
- Employee/Participant enrollment data including account balance information, plan asset detail, direct deposit information, compensation/payroll information and other financial data.
Examples of cyber threats to retirement plans involve plans and service providers subject to fraudulent transfers of participant plan assets, either through fraudulent distribution or fraudulent loan requests, ransomware attacks and phishing techniques where a hacker may obtain logon credentials (through a stolen laptop or mobile device storing personal data and misplaced passwords) to access online participant account information.
Note that while the information included in retirement plans is protected under a myriad of laws and regulations, there is currently no comprehensive regulation that protects retirement plans and service providers from cyber threats. See our previous posts from February 2017 and November 2016 for a discussion of whether ERISA provides applies to cybersecurity and the 2016 ERISA Advisory Council Report on Benefit Plan Cybersecurity.
Remember that while few incidents of cybersecurity attacks against retirement plans have been publicized, it is only a matter of time before a major attack occurs. Cybersecurity criminals are becoming more sophisticated every day; be prepared.
What steps should be taken to safeguard retirement plan assets and information?
Plan sponsors should consider:
- A design process for addressing and fixing cybersecurity issues; for example, identify possible gaps in security in the information sharing process with third party administrators.
- Advise and encourage plan participants to:
- choose strong passwords that are hard to guess;
- change their passwords frequently;
- store passwords with care – don’t leave passwords on desk, table or counter for others to see;
- log out completely from any plan related web or intranet site; and
- consider requiring 2-factor authentication to access accounts.
- Ensure that the appropriate level of cyber liability insurance is in place to help mitigate the damage of any potential attack and be sure that such coverage is as broad as possible.
- Consider retaining an outside firm that specializes in cybersecurity for retirement plans to ensure your participants’ data is secure through periodic audits.
- Thoroughly vet service providers and negotiate contract provisions to lower or mitigate the cost of correcting a possible cyberattack on a plan by allocating responsibility to the vendor.
- Implement processes and controls to restrict access to plan systems, applications and data and other sensitive information.
- Develop a cybersecurity risk management strategy specific to your retirement plan(s) – in short, have a plan in place to address your response to a breach (including appropriate notices and remediation efforts).