It’s no secret that retirement plans are the target of cybercriminals. For example, see the details of a cybercriminal stealing a participant’s 401(k) account through a phishing scam here. What should employers who sponsor retirement plans do to protect their employees’ plan assets and participant data as well as ward off possible civil liability for any losses?

The U.S. Department of Labor (DOL) has issued guidance on best cybersecurity practices for retirement plans. Although this guidance is not binding it warrants serious consideration by plan sponsors and fiduciaries. Implementation of a compliant data security and privacy protection policy would provide a high level of protection for plan assets and provide a defense to any claim that plan fiduciaries have not been diligent in protecting the plan and its participants. Here are a few matters that might be of concern to you:

· You may already have a compliant security and privacy protection policy for your business. If so, make sure it applies to the assets of your retirement plan and the personal information of participants.

· Do the service providers for your retirement plan have formal policies on the storage and protection of personal information disclosed by plan participants such as Social Security numbers, home addresses and financial information?

· Do plan participants and your employees in general understand the basics of protecting data on their own laptops and cell phones as well as those provided for business purposes? 

· Do the service providers for your retirement plan (recordkeepers, third party administrators and investment advisors) maintain cybersecurity insurance?

The DOL has provided more detailed online guidance on best cybersecurity practices at which can be found here.

TAKEAWAYS:

Employers who sponsor retirement plans should give serious consideration to the adoption of a formal data security and privacy protection policy.  It’s good business and it’s a good practice for plan fiduciaries. Bear in mind that employers themselves are typically fiduciaries to their retirement plans as the designated “plan administrator.”  Third party administrators and other plan service providers should do likewise.  And the first compliance step is to review the DOL guidelines in the link above and raise any questions you have with an advisor. Do not hesitate to contact Andrew Williams with any cybersecurity matters you may want to discuss in greater detail.