Retirement plans hold millions of dollars in participant funds, and plan operational platforms maintain highly sensitive participant information, creating a situation ripe with the risk of identity theft. With this in mind, retirement plans become a focused target for cyber-criminals and cyberattacks. Plan sponsors have a fiduciary obligation to ensure that the plan has proper mitigation of cybersecurity risks and that the participants retirement money and data are secure.
To help support and assist plan sponsors mitigate cybersecurity risk, the U.S. Department of Labor (DOL) has recently announced new guidance on best practices for maintaining cybersecurity, including tips on how to protect the retirement benefits of U.S. workers. The guidance is not only directed at plan sponsors, but also plan fiduciaries, plan participants and beneficiaries.
While this notice from the DOL is currently only guidance, and the DOL is currently not taking any enforcement action, it is still important for plan sponsors to be mindful and practice good cybersecurity behaviors. Here are five tips plan sponsors can keep top of mind as they determine if their current cybersecurity practices need improvement.
1. Familiarize yourself with DOL guidance.
The DOL guidance was developed to help plan sponsors protect themselves against any possible risk of a cyber theft. Familiarizing yourself with the guidance can help to keep your data and the participant’s information secure in the long run, and can keep you informed on the threats and warnings signs of cyberattacks
2. Analyze current policies, then make a plan.
After taking the time to understand the guidance provided, a plan sponsor should also identify what current policies they have in place, if any at all, and understand what can be changed to increase cybersecurity. This process can help you determine what needs to be addressed within your organization to minimize risk.
Next, you should make a plan to address these issues. Whether it be installing a cybersecurity platform, actively monitoring online activities, conducting regular risk assessments, and more, there should be a plan prepared and documented to help respond to any and every potential threat in relation to the retirement plan.
3. Review your service providers.
With cyber threats on the rise, it has never been more important for an organization to understand the cybersecurity processes that are in place for their service providers, as well. This is because a hole in a service providers system could eventually lead to a gap in your security too.
Take the time to connect with your service providers to understand if they are also taking the necessary precautions or have a platform they are using to protect themselves against cyber criminals. A lack of cybersecurity on their end may be a red flag and should cause you to ask questions about their lack of cybersecurity.
4. Gather and organize all related documents.
Plan sponsors should be taking initiative when it comes to gathering and maintaining all related documents in one location. This enhanced organizational process can help a plan sponsor to ensure that they’re monitoring and securing all important documents in one place, including data and participant’s sensitive information, ensuring security for all.
5. Take it seriously.
It is no secret that cyber criminals are strengthening their tactics, causing businesses and their employees to fear a potential breach in cybersecurity. You should be taking this guidance and topic seriously, as important information is on the line.
The DOL has determined this to be an enhanced threat and will likely be rolling out more formal audits over time. Not only should you be prepared for these audits, but as plan sponsors you should always be acting as prudent fiduciaries of your participants retirement assets and personal data.
Don’t let your guard down.
Cyber threats come in all shapes and sizes and with an interconnected company comes additional risk. Organizations should have a well-documented cybersecurity program that protects their data and their participant’s personal information, addressing any past risks and current threats, with a detailed plan in place to assess the security of its systems and practices.
As you continue to work with services providers for retirement planning, review and inquire about their cybersecurity programs as well. This extra step can ultimately lead to your organization’s protection in the long-term.
Todd Klaben is a Partner at The Bonadio Group located in the Syracuse, New York office. Todd has more than 16 years of experience performing and supervising accounting and tax engagements including audit, review, compilation and tax compliance and consulting. For more information, please visit www.bonadio.com.