Protecting Retirement Plan Assets and Data from Cybercriminals
Erica Rice, CPA
11.3.21 | Berdon Vision
With hackers becoming more and more sophisticated and the fact that some Plan Sponsors and fiduciaries may not have the security necessary to properly protect the personal data and assets of plan participants, employee benefit plans have become hot targets for cybercriminals. Recognizing the urgent need for protective action, the U.S. Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) issued cybersecurity guidance that applies to Plan Sponsors and fiduciaries, recordkeepers, and plan participants.
In effect, the EBSA is now on record that Plan Sponsors and fiduciaries are obligated to take strong measures to mitigate cybersecurity risks. Often Plan Sponsors and administrators have a false sense of security that their service organizations will provide all the protection needed, when in fact, more protection is required. It is also essential that plan participants do not take a passive role and hope that all will be well. The threat of cyberattacks is far too real for all parties involved to be anything less than vigilant.
A Three-Pronged Approach
The DOL provides recordkeepers, service providers, and plan fiduciaries with three main areas under their guidance. First is EBSA’s “Cybersecurity Program Best Practices,” which includes a dozen tips in the form of a checklist to assist them in dealing with cybersecurity risks. Second, EBSA created “Tips for Hiring a Service Provider with Strong Cybersecurity Practices,” which drives home the heightened importance of selecting the right service providers for employee benefit plans. Lastly, EBSA issued “Online Security Tips” to enhance the understanding of plan participants and help them take steps to reduce their risk of being victims of fraudulent activity. Further detail and advice on carrying out each recommendation are in the link at the end of this article.
Checklist: An Even Dozen Best Practices
◻ Develop a formal, well-documented cybersecurity program
◻ Carry out annual risk assessments
◻ Engage a reliable third party for an annual audit of security controls
◻ Produce, define, and assign security roles and responsibilities
◻ Maintain robust access control procedures
◻ Confirm that assets stored in a cloud or managed by a third party have appropriate security reviews and independent security assessments
◻ Perform periodic cybersecurity awareness training
◻ Maintain a secure system development life cycle (SDLC) program
◻ Establish a business resiliency program that includes business continuity, disaster recovery, and incident response
◻ Encrypt sensitive data, stored and in transit
◻ Follow best security practices when initiating technical controls
◻ Appropriately respond to any previous cybersecurity incidents
What to Look for in a Service Provider
The EBSA advises sponsors and fiduciaries that a service provider being considered must demonstrate strong cybersecurity practices. It is essential to assess the quality of their security standards, procedures, and policies. Learn if they use a recognized standard for information security and employ an outside auditor to review their measures and ask to review the audit results. Evaluate the provider’s track record in the industry—reviewing public information regarding information security incidents, other litigation, and legal proceedings related to vendor’s services.
The guidance also recommends that any contract with a service provider requires ongoing compliance with cybersecurity and information standards. Additionally, the provider must meet government laws and requirements relating to plan participants’ information security. As such, the provider’s service contract should identify how quickly the client will be notified of any cyber incident or data breach and ensure the service provider’s cooperation to investigate and address the cause of the breach. Consider requiring insurance coverage—such as professional liability and errors and omissions liability insurance, cyber liability, and privacy breach insurance, and/or fidelity bond/blanket crime coverage—is also highly recommended.
Additionally, Plan Sponsors should review System and Organization Controls (SOC) reports for their custodians, recordkeeper, and payroll provider. A SOC 1 report gives user organizations a strong sense of comfort about the services performed on their behalf, which are relevant to internal controls over their reporting. In a SOC 1 Type 2 report, the organization’s control objectives are listed and tested by an independent auditor. This report will highlight any failures in the control environment of the service organization. At a minimum, Plan Sponsors should review control testing results and user control considerations annually to ensure that:
(a) there is a clear understanding of the division of responsibility between the custodians, recordkeepers, payroll providers, and the Plan Sponsor pertaining to data integrity, security, and retention;
(b) the Plan Sponsor has mitigating controls in place to address the control failures that may have an adverse impact on their operations;
(c) user control considerations identified by the SOC 1 report are addressed by the Plan Sponsor. Plan Sponsors should be wary of selecting service providers with failures in their internal controls.
Maintaining Online Security
Plan participants and beneficiaries are also included in the EBSA guidance. Among the recommendations are regular monitoring of the accounts, the use of strong passwords (avoiding birthdays or easy-to-guess passwords like ABCD1234), and multi-factor authentication, which is also known as two-factor authentication. This security feature requires multiple means of identification at login and is widely recognized as the most secure software authentication method for verifying access to data and applications.
It is further recommended that contact information be updated the moment it changes, so the user can be reached if a problem arises. Participants should set up account activity notifications to immediately notify them of account activity and investigate anything they didn’t initiate. It would be best if participants also closed or deleted any unused accounts to limit their online presence and reduce vulnerability. There is also advice on recognizing red flags that indicate that they may be the subject of phishing. A phishing message may resemble one from a trusted organization and lure participants into clicking on a dangerous link or passing along confidential information. It is advised that participants use antivirus software and keep apps and software up to date. Finally, participants should make sure they are aware of how to report identity theft and cybersecurity incidents.
For details on the EBSA’s complete recommendations, visit:
Additional Options to Protect Your Plan Participants
In today’s challenging threat environment, organizations should strongly consider obtaining cybersecurity insurance. Cyber insurance policies help cover the financial losses that result from cyber events and incidents. There are also policies that help with the costs associated with remediation, including payment for legal assistance, investigators, crisis communicators, and customer credits or refunds. While purchasing a policy won’t eliminate the risk of your employee benefit plan being hacked, it will provide a safety net to ensure that the financial assets of you plan participants are not completely lost.
In addition to purchasing insurance, companies can also work with outside providers to regularly assess their organization’s overall cyber risk. Berdon Technology Services (BTS) and its partners are equipped with the knowledge and experiences to assess the cybersecurity controls and infrastructure of a company’s Plan Sponsors, fiduciaries, and record keepers to ensure that the right measures are in place to safeguard their critical information.
The alphabet soup of cybersecurity acronyms can be confusing to a non-technical person, but the BTS comprehensive assessment will translate the findings into plain English that everyone understands—helping all stakeholders do their part to protect the personal data and financial assets of plan participants.
Berdon LLP New York Accountants