Driving Cybersecurity with Participants and Providers

Plan sponsors should evaluate providers’ cybersecurity practices, but there are also steps they and plan participants can take to safeguard retirement accounts.

Among a plan sponsor’s responsibilities, encouraging and enforcing cybersecurity are not the first tasks that come to mind.


But, as modern technology takes over the common workplace, the concept of cybersecurity for retirement plans has started to see attention. In late 2018, the ERISA [Employee Retirement Income Security Act] Advisory Council requested guidance from the Department of Labor (DOL) on how employers should evaluate cybersecurity risks, and to mandate plan sponsors build a protection process and understand how these defenses work. In February, lawmakers sent a letter to the U.S. Government Accountability Office (GAO), asking it to examine cybersecurity in the U.S. retirement industry.


Plan sponsors, providers and participants are understanding how susceptible retirement plan and participant data are to hacks and online threats, but, what can they do to try to prevent attacks?


For starters, participants need to register their accounts online, says Charlie Nelson, CEO of Voya Retirement. Ensuring participants have registered can provide an additional degree of security in knowing that no one else is registering on a participant’s behalf.


“We sometimes hear people say, ‘My account is safe because I never registered for online access.’ That can be misguided. Fraudsters will sometimes try to get access to an unregistered account so they can set the original data points, such as a phone number or other piece of information,” Nelson says.


Not only should accounts be registered, personal devices including laptops, phones and tablets are important to cybersecurity as well, Nelson adds. He suggests that another step in securing private information is implementing two-factor authentication, where a one-time access code is sent to a participant via a phone call, text message or email, for example, to access his account.


“We recommend this feature as it provides another layer of security, in addition to a password,” Nelson says.  “Some may view this as an inconvenience, but when it comes to what is – for many people – their greatest financial asset, taking extra steps to protect their account is worth the time and effort.”


George Sepsakos, principal with Groom Law Group, says the industry has been seeing two-factor authorization features applied by plan sponsors recently. He adds that instituting required regular password changes could also aid in preventing hacks or online threats. “These are the type of actions that are low-hanging fruit,” he says.


Asking Providers About Cybersecurity


When selecting a recordkeeper or other plan provider, plan sponsors should ask about cybersecurity practices. They should be looking for a sense of partnership and communication on what is expected from a provider, and what it expects from them, says Allison Itami, principal at Groom Law Group.


“Cybersecurity is going to evolve, there is no static process,” she explains. “When you’re looking for a service provider, you want to be comfortable knowing that you’ll be in the loop and know that it is an evolving partnership.”


Instead of just asking about the number of incidents a service provider has had, plan sponsors should be asking how the provider will work with them in the event of a cyber incident in their plan, Itami says. The key is to not stress past data breaches, but stress the impact they will have for the provider in working with plan sponsors and the plan in the future.  


Sepsakos mentions asking whether a provider can present an audit of its cyber practices. Utilizing internal assistance, such as a plan sponsor’s own security team, to field questions and gain ideas to ask can be crucial in this process, and may help a plan sponsor better understand a provider’s cybersecurity measures, he adds.


“While we’re seeing more providers offer a cybersecurity guarantee, try to think about procedure and the technology the provider has, such as whether its site is data encrypted,” Sepsakos says.


At Voya, Nelson says, clients are protected by the S.A.F.E. program—if assets are taken out of an account, the company will restore its full value, given that participants have registered the account online and responded once notified about the potential unauthorized activity.


Nelson echoes Itami’s previous sentiments, mentioning the importance in engaging with plan providers to understand the tools educating their participants, and says that among other actions, plan sponsors can ask their providers to do predictive analytics on both the call center and websites.


He adds, “There’s a variety of information that a plan sponsor can and should get to understand the general level of security for the plan and the participants.”