Retirement Plan Cybersecurity Considerations

Retirement Plan Cybersecurity Considerations

Retirement plans are a potential target for cyber threats, making it crucial for fiduciaries to take action. To help safeguard participant data and retirement assets, the Department of Labor (DOL) has released guidelines aimed at protecting benefit plans from internal and external cybersecurity risks. Here's what retirement plan fiduciaries, providers and participants need to know to stay ahead of these threats.

Fiduciary Best Practices

The DOL requires retirement plan fiduciaries to ensure their service providers follow strong cybersecurity practices. Fiduciaries should consider the following when selecting and monitoring providers:

  • Ask about their cybersecurity practices, procedures, policies and audit results, and compare them to what others in the industry are doing.
  • Ask how they evaluate their procedures and what level of security standards they meet.
  • Evaluate their cybersecurity track record based on public records.
  • Ask about any prior breaches, including what happened and how the provider handled the issue.
  • Ask about insurance coverage they may have that would cover any losses due to internal and external breaches.
  • Ensure all provider contracts require ongoing compliance with security standards. Beware of contract provisions that limit the service provider’s responsibility for breaches.

Provider Best Practices

According to the DOL, recordkeepers and other service providers responsible for plan-related IT systems and data should have processes in place to protect plan assets. The following guidance is designed to help plan providers mitigate risks and plan fiduciaries make prudent decisions on the service providers they hire.

Service providers should:

  • Have a formal, well-documented cybersecurity program.
  • Conduct prudent annual risk assessments.
  • Have a reliable annual third-party audit of security controls.
  • Clearly define and assign information security roles and responsibilities.
  • Have strong access control procedures.
  • Ensure any assets or data stored in a cloud or managed by a third-party provider are subject to appropriate security reviews and independent security assessments.
  • Conduct periodic cybersecurity awareness training.
  • Implement and manage a secure system development life cycle (SDLC) program.
  • Have an effective business resiliency program addressing business continuity, disaster recovery and incident response.
  • Encrypt sensitive data — stored and in transit.
  • Implement strong technical controls in accordance with best security practices.
  • Appropriately respond to cybersecurity incidents.

Participant Best Practices

The DOL believes plan participants and their beneficiaries also have a responsibility to help keep their accounts secure. Plan sponsors should communicate the following tips to participants and beneficiaries:

  • Register their account and monitor it regularly.
  • Use strong and unique passwords.
  • Use multi-factor authentication.
  • Keep contact information current.
  • Close/delete any unused accounts.
  • Avoid ‘free’ Wi-Fi.
  • Don’t share passwords, account or other sensitive information with anyone.
  • Use anti-virus software and keep all apps current.
  • Know how to report identity theft and cybersecurity incidents.

With all parties following these best practices, risks of a security breach can be minimized. Connect with a professional to learn more.

Investment advisory services provided through CBIZ Investment Advisory Services, LLC, a registered investment adviser and a wholly owned subsidiary of CBIZ, Inc.


© Copyright CBIZ, Inc. and CBIZ CPAs P.C. (together, “CBIZ”). All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

CBIZ is the brand name for CBIZ CPAs P.C. and CBIZ Advisors, LLC (together), a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of growth-oriented companies. CBIZ Advisors, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ). CBIZ CPAs P.C. is an independent CPA firm that provides audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider. CBIZ and CBIZ CPAs P.C. are members of Kreston Global, a global network of independent accounting firms. This publication is protected by U.S. and international copyright laws and treaties. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.

Retirement Plan Cybersecurity Considerationshttps://www.cbiz.com/Portals/0/Images/Plan Sponsor-3-1.jpg?ver=Ag48ZrCIUUi2ThtXFLboEA%3d%3dRetirement plans are a potential target for cyber threats. Here's what fiduciaries, providers and participants need to know to stay ahead of these threats.2024-10-03T17:00:00-05:00Retirement plans are a potential target for cyber threats. Here's what fiduciaries, providers and participants need to know to stay ahead of these threats.NoneInvestment AdvisoryRetirement Plan ServicesNo