This article was updated as of August 26, 2022. 

On April 14, 2021, the Department of Labor’s Employee Benefits Security Administration (EBSA) released urgent new guidance on cybersecurity threats. In issuing these materials, DOL provided a clear roadmap for plan sponsors and service providers while emphasizing that under ERISA Section 404, plan fiduciaries are responsible for ensuring cybersecurity risk mitigation as a part of their fiduciary responsibilities. This guidance, combined with increased litigation activity and recent reports of plan audits requesting copies of written cybersecurity policies, should be viewed as a priority call to action by retirement plan fiduciaries, who currently safeguard an estimated $9.3 trillion in retirement assets.

Retirement plans are vulnerable targets for cybercriminals. These plans are typically worth hundreds of thousands—or even millions—of dollars and contain sensitive personal data such as participants’ Social Security Numbers, bank details, and more. 401(k) plans and plan sponsors are becoming targets for hackers, criminals, and bad actors who seek out this data.

Think of how costly it can be for an organization to recover from the damage of a data breach, and then imagine if that data breach happened to your company’s 401(k) plan. You don’t want your company’s employees to lose their hard-earned retirement dollars to theft or have their data compromised, and your organization could also suffer significant damage to its reputation as a result.

As part of your fiduciary responsibility as a plan sponsor, you’re expected to take reasonable precautions to help safeguard your retirement plan against cybersecurity and other threats.

Some of the top cybersecurity threats to 401(k) plans include:

• Identity theft, leading to unauthorized access to distributions: some cybercriminals will falsely claim to be authorized plan officials, plan participants, or plan beneficiaries, leading to unauthorized disbursement of funds.
• Insufficient employee training: employees are the weakest link in cybersecurity for retirement plans—whether it’s using weak passwords, failing to follow good policies and procedures for access privileges, or failing to confirm the identity of an authorized recipient of funds.
• Third-party service providers with inadequate cybersecurity practices: reputable service providers work with outside auditors to review and verify their cybersecurity standards.

Many of the same cybersecurity best practices implemented across business operations can be scaled to include retirement plans. The Department of Labor guidance should serve as a framework to follow in this regard.

With the DOL making it clear that cybersecurity is part of the plan sponsor’s fiduciary obligations under ERISA, it means that in selecting, monitoring, and replacing service providers to the plan, cybersecurity needs to be part of that process. Particular attention should be paid toward existing service providers that hold or have access to sensitive data, and agreements should be reviewed and modified as needed to ensure the five key areas outlined in the DOL guidance are incorporated:

• Requirement for an annual third-party audit to determine compliance with information security policies and procedures
• Clear identification of the service provider’s obligation to keep private information private, prevent disclosure of confidential information, and meet a strong standard of care to protect confidential information
• Provisions related to record retention, privacy, and information security
• Provisions related to notification and cooperation for cybersecurity breaches
• Potentially a requirement related to insurance coverage for cybersecurity breaches

Request for Proposal efforts should also add questions incorporating the recent guidance.

Whether you’re examining existing relationships or evaluating new ones, asking the right questions is only part of the process a fiduciary should consider. The other key component is understanding the responses being provided. Remember that as a fiduciary, the standard to which your actions are held is essentially that of a prudent expert who is familiar with such matters. Said a different way, if you do not have the expertise to evaluate the responses provided, seek assistance from an IT security expert.

As mentioned previously, recent plan audits have requested copies of cybersecurity policies, which makes fiduciary compliance and risk mitigation a bit more broad in scope. If you do not have IT security resources in your company, engage a reputable IT security consultant. This provider can help you evaluate and create a more secure environment, helping you:

1. Create a formal, documented cybersecurity program for your retirement plan. 
2. Do annual risk assessments to stay ahead of the ever-changing IT risk environment. 
3. Conduct an annual third-party security controls audit. 
4. Define and assign clear roles and responsibilities for information security. 
5. Create robust procedures for access control. 
6. Ensure that any data or assets managed by third-party service providers or stored in the cloud can receive adequate security reviews. 
7. Train employees and plan participants on cybersecurity awareness at least once a year. 
8. Organizations with in-house application development efforts should implement a secure system development life cycle (SDLC) program. 
9. Implement a business resiliency program that includes business continuity, disaster recovery, and incident response. 
10. Encrypt sensitive data while stored or in transit to protect the confidentiality of your plan’s data. 
11. Develop strong technical controls, such as system hardening, vendor-supported firewalls, network segregation, and routine patch management. 
12. Respond appropriately to cybersecurity incidents. 

EBSA offers a list of online security tips for retirement plan participants and beneficiaries. Those checking their retirement account online could benefit from these best practices, including: 

• Use multi-factor authentication (MFA), also known as two-factor authentication or 2FA.  
• For all credentials that do not require MFA, a strong password policy should be implemented with a minimum of 14-15 characters and require complexity where available. A passphrase works well, too. Secure password managers help users create and track login credentials without re-using them across multiple accounts or worrying about forgetting their passwords. 
• Watch out for phishing attacks. Phishing emails—fake emails that try to trick people into clicking a link, sharing a password, or other sensitive information—are becoming increasingly sophisticated. These fraudulent emails might even appear to be from a reputable, familiar company. 

Providing cybersecurity information, training, and ongoing reminders to your organization, employees, and plan participants can help keep everyone’s personal information and retirement savings safe from cybercriminals.