Because the personally identifiable information (PII) that defined contribution (DC) plans safeguard is a tempting target for cybercriminals, it is imperative for these plans to protect themselves from breaches of their data, The Segal Group says.
Failures could occur when sponsors exchange PII with recordkeepers or other service providers. Therefore, the firm recommends nine steps plans can take to hedge against cybersecurity risk:
- Create an information security policy and an incident-response plan.
- Minimize requests for and use of PII
- Train staff regularly
- Assess the information technology (IT) environment
- Mandate use of encryption for data-at-rest and data-in-motion
- Assess recordkeepers’ technology
- Review recordkeepers’ security procedures
- Set up and regularly review system activity logs
- Maintain adequate levels of cyber liability protection.
“Implementing an effective framework for managing DC plan data security risks will strengthen the plan’s control environment and may further improve stakeholder confidence,” says Julian Regan, senior vice president of Segal Marco Advisors, the investment solutions provider of The Segal Group.