Securing the Future: Navigating Cybersecurity Challenges in Retirement Plans

Cybersecurity is a top concern for many U.S. businesses and industries. The retirement plan industry holds over $37 trillion in total participant retirement accounts, yet only 27% of plan sponsors have a written cybersecurity policy, according to the 65th annual Survey of Profit Sharing and 401(k) Plans by the Plan Sponsor Council of America (PSCA). Government regulation has driven cybersecurity enhancements in other industries (such as enhanced safeguards for credit cards and online accounts in the banking industry). While the retirement industry currently lacks a comprehensive system of cybersecurity laws and regulations, the Department of Labor (DOL) has turned its attention to cybersecurity for employee benefit plans. In this blog, we review the critical intersection of retirement plans and cybersecurity, exploring the current landscape, the DOL's two-pronged focus on cybersecurity, insights from the Employee Retirement Income Security Act of 1974 (ERISA) Advisory Council, and actionable steps plan sponsors can take to mitigate cyber risks.

DOL Cybersecurity Two-Pronged Focus

In April 2021, the DOL issued cybersecurity guidance for plan sponsors when hiring a service provider, best protection practices, and online security information for participants and beneficiaries. Although this guidance is not required by law, the DOL is using these tools as a basis to ask for more cybersecurity-related information when it conducts audits plans. Since issuing the guidelines, the DOL has increasingly expressed interest in gathering information about audited plans’ documents for policies, procedures, and guidelines related to cybersecurity. It has also begun requesting specific details from plan sponsors as to how their plan service providers use participant data. According to the PSCA study, 56% of plans have a participant data use policy as part of the recordkeeper service agreement. If a plan is audited by the DOL, the plan sponsor should be prepared to answer questions about such policies and provide follow-up information if requested.

ERISA Advisory Council’s Report on Cybersecurity Insurance

The DOL ERISA Advisory Council (the Council) consists of 15 appointees representing interests of employee organizations, employers, specific industry fields, and the general public. The Council’s December 2022 report analyzed how cybersecurity insurance addresses risk in employee benefit plans. The Council heard from a number of industry experts representing a wide cross-section of interests, and central themes of the testimonies found the issue is complex, not widely understood, and requires further study. For instance, one witness suggested the Council consider whether ERISA requires plan fiduciaries and service providers to guarantee a loss when they took reasonable steps to prevent fraud.

The Council’s report on cybersecurity insurance emphasizes the need for action. As industry experts underscore the complexity and call for further study, plan sponsors can take proactive steps. Here are a few ways plan sponsors can mitigate these risks and continue improving the security and well-being of both the plan and its participants:

Steps for Plan Sponsors to Mitigate Cyber Risks

With the increased regulatory focus and greater awareness of cyber vulnerabilities within the retirement plan industry, plan sponsors are looking for ways to meet their fiduciary responsibility in mitigating retirement plan cybersecurity risks. The following are just a few of the ways in which sponsors can address the risks:

  • Cybersecurity Insurance: For sponsors considering retirement plan cybersecurity insurance, a key question when evaluating potential policies is asking which party would be liable for a cybersecurity breach. Additional considerations include identifying who is the insured party (the sponsor, the plan, or both), who is responsible for purchasing the policy (the sponsor or the plan), and the full scope of the policy (in other words, what is or is not covered in the event of a cyber breach).

    Another aspect to think about is how much coverage is needed for the policy. According to this year’s IBM Cost of Data Breach Report, the average cost of a breach in the United States was $9.48 million. The sponsor should also consider factors unique to its company and the plan.

  • Cybersecurity Risk Management Program: Through the DOL’s audit investigations, some sponsors are feeling increased pressure to implement a cybersecurity risk management program with policies and procedures directly addressing the employee benefit plan.

    If a sponsor decides to adopt a risk management program, ensuring the policy is the right fit is crucial. A boiler-plate policy is generally not a good approach since it may not fully align with the company’s processes and procedures. Any program established around the plan’s cybersecurity should be clearly understood, routinely followed, and updated regularly. A program that is put in place but not adhered to or updated could become substantiating evidence in the event of plan litigation following a cyber breach.

  • Add IT to the Plan Committee: With the ever-evolving cyber technology, adding an IT professional to the plan administrative committee (those charged with plan governance) informs the committee about emerging trends and advancements in cybersecurity. The IT professional can educate on the latest cyber tools and best practices, as well as help in the evaluation process to understand the technological aspects of the plan, such as software systems, data security, and infrastructure requirement. This professional can also encourage the committee to provide appropriate time and resources for plan cybersecurity.

    Overall, inclusion of an IT professional charged with oversight and administration of the plan can help ensure the technology-related aspects of the retirement plan are well-managed, secure, and aligned with the company's goals.

Cybersecurity Is a Shared Responsibility

The cyber community fully embraces that in the event of a cyber breach, it is no longer a question of who is responsible; rather, all parties share in the responsibility for cybersecurity. The plan sponsor can play a key role in educating plan participants about their role in building a stronger cybersecurity defense. This education would include emerging trends in cyber-hacking and proper risk-mitigation practices, such as two-factor authentication, regular account monitoring, and avoidance of phishing attacks. The PSCA study reported 61% of plans have cybersecurity awareness campaigns and half have issued email alerts on specific cyber issues.

Closely Monitor the Plan’s Cybersecurity Process

When determining a comprehensive approach to cybersecurity and assessing the plan’s cyber risk profile, plan sponsors should remember that ERISA’s standard of care stipulates fiduciaries must act in the best interests of participants and beneficiaries. Cybersecurity risks are an ongoing part of current-day plan administration – as such, plan fiduciaries have a responsibility to ask questions and take steps to lessen cybersecurity risk as much as possible.

In the event of a cyber-breach, sound actions that protect both the plan and the sponsor include knowing what the plan’s service providers are doing to prevent cybersecurity attacks, educating participants, and documenting policies and controls.

For larger plan sponsors or those who have experienced a breach, System and Organization Controls (SOC) for cybersecurity reports can provide an independent assessment of the sponsor’s implemented cybersecurity controls. These reports allow plan sponsors to better manage their risk, support compliance, promote transparency, and make informed decisions about plan vendor selection and monitoring.

Each plan sponsor is tasked with evaluating their plan’s unique cybersecurity risks and needs.

In conclusion, as the landscape of retirement plans intersects with the ever-evolving challenges of cybersecurity, it's imperative for plan sponsors to take proactive measures to safeguard participant data and mitigate potential risks. Understanding the DOL's focus, incorporating cybersecurity insurance, implementing a robust risk management program, involving IT expertise, and fostering a shared responsibility within the plan community are crucial steps. For personalized guidance and comprehensive assistance in navigating IT cybersecurity best practices and compliance, reach out to a Trusted Advisor today. Our experienced professionals stand ready to support you in fortifying your retirement plan against cyber threats, ensuring the security and well-being of both sponsors and participants. Together, let's build a resilient and secure future for your retirement plans.