Safeguarding Retirement: Protecting Your Retirement Plan From Cybersecurity Threats

By now, most of us have experienced that feeling of dread when we receive notification from a company or service provider that our personal information has been compromised as a result of a data breach. It has become commonplace in this era dominated by digital transactions and information exchange. Retirement plan sponsors are also facing unprecedented challenges in safeguarding participants’ assets against cybersecurity threats. Retirement plans are prime targets for cyber attacks due to their asset levels and personal data – there are over $10.2 trillion in qualified retirement plan assets as of June 2023, according to the Investment Company Institute. While the Employee Retirement Income Security Act (ERISA) does not explicitly outline rules related to cybersecurity, the Department of Labor (DOL) has confirmed that a prudent fiduciary has an obligation to mitigate cybersecurity risks. This article discusses guidance from the DOL regarding cybersecurity, whether plan sponsors should consider separate cyber liability insurance for their retirement plan, and other practical steps to protect your retirement plan.

In 2021, the DOL announced new guidance for plan sponsors, plan fiduciaries, recordkeepers, and plan participants on best practices for maintaining cybersecurity. It was the first time such guidance had been issued, and it provides a baseline for addressing cybersecurity risks in retirement plans. Many plan sponsors have used this framework as a starting point to implement best practices within their organization. At a minimum, fiduciaries should be well versed in the three parts of the DOL guidance and understand the cybersecurity practices of their third-party vendors. It is also critical to educate employees on the importance of good cybersecurity practices as it relates to their retirement account. Below are links to the three documents issued by the DOL:

1. Tips for Hiring a Service Provider – Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
2. Cybersecurity Program Best Practices – Assists plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks.
3. Online Security Tips – Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.

When determining a comprehensive approach to cybersecurity, plan sponsors should keep in mind that ERISA’s standard of care stipulates that fiduciaries must always act in the best interests of participants and beneficiaries. Obtaining cyber liability insurance should be just one element of a comprehensive cybersecurity risk management program and reviewing cybersecurity as it relates to your retirement plan and third-party vendors should be an ongoing part of plan administration.

ERISA requires that plan sponsors obtain a fidelity bond to protect the plan from losses due to fraud or dishonesty (e.g., theft), but this bond will not cover a cyber-related event unless it specifically includes crime coverage, and even then the coverage will likely be insufficient. Another type of insurance, fiduciary liability insurance, while not required by ERISA, insures fiduciaries, and in some cases the plan, against losses caused by a breach of fiduciary responsibilities. Fiduciary liability insurance may only have limited coverage for cyber-related events so fiduciaries should inquire with their insurance provider as to the coverage levels.

In recent years, many companies started maintaining cybersecurity insurance for their business, but fiduciaries should exercise caution here and have a clear understanding of whether, and the extent to which, the retirement plan may be covered under these policies. A separate cyber liability insurance policy can provide the most comprehensive protection for data breaches and claims from participants and other third parties. It can help a policyholder respond effectively to a cyber breach and provide other risk management services such as forensic assistance and complying with regulatory requirements. Often, the biggest expense comes from the investigation and research of the event, not the damages to the plan and participants themselves. It can also ensure dedicated limits for the sponsored plan.

However, it should be noted that cybersecurity insurance does not protect against all cyber risks and often includes exclusions or insufficient coverage for certain circumstances. The takeaway here is that it is critical to know the depth of coverage the policy provides and perhaps most importantly, what it doesn’t cover. These policies are relatively new and are not standardized in the marketplace, so plan sponsors should work with an experienced insurance broker/advisor for guidance when evaluating their insurance needs. An ERISA attorney specializing in cyber issues would be a good resource for building a cybersecurity policy specific to the plan and working with an IT firm can also provide valuable assistance in building out an over-arching cybersecurity policy, which would incorporate the needs of the retirement plan.

• Monitor plan statements – Proactively reviewing plan statements can help detect unauthorized activities and address them in a timely manner.
• Protect employee data internally – Limit access to sensitive data within your organization only to those that need it. Establish protocols for secure data sharing.
• Review third-party vendors’ cybersecurity practices – Continuous assessment of service providers’ security practices is vital and should be done annually, at a minimum.
• Educate employees – Regular training, at least annually, should cover topics such as the importance of logging into and setting up your retirement account using strong cybersecurity practices.
• Consider a written cybersecurity policy – According to the 65^th annual survey of Profit Sharing and 401(k) Plans by the Plan Sponsor Council of America, only 27% of plan sponsors have one in place. However, as with any policy you adopt in your plan, if you adopt it, make sure you are following it.
• Consider including IT – Your internal IT department or an independent IT firm may provide valuable insight into your internal practices and be able to assist in evaluating the practices of third-party providers to ensure alignment with your organization.

Retirement plans contain both significant assets and personally identifiable data which make them targets for cyber criminals who are constantly looking for new ways to breach retirement accounts. Fiduciaries should make a coordinated effort to keep this data protected and use the DOL guidance as a starting point. Mitigating cyber risks is a shared responsibility between plan sponsors, third-party providers, and participants. Obtaining a separate cyber liability insurance policy can provide the most important backstop in the event of a breach. For more information, contact your Aldrich Wealth consultant.