Cyber Security Matters to Retirement Plans too
Cyber Security in Retirement Plans
With the passing of the National Cyber Security Awareness month, and after the Department of Labor has recently expressed concerns, we are reminded of the importance and prevalence of cybersecurity threats to retirement plans. As the implementation and use of paperless processes continue to rise, the internet has become a primary means of communication between plan sponsors, service providers and participants. Action needs to be taken at all levels in order to increase awareness and preparedness against potential cyber-attacks on plan data. Most plans now handle all participant requests and records entirely online. These transactions contain personally identifiable information and are a prime target for hackers. As the plan sponsor, it is your fiduciary duty to properly manage plan data, and develop internal risk management policies and procedures in order to protect this valuable information.
You can begin to take steps to protect the data by assessing the control environment of your service providers. It’s also a great idea to ask questions about who has authorized access to plan data, and what procedures are in place to prevent and detect threats to their security. SOC 1 reports on the controls of the plan’s service organizations can and should be obtained by the plan sponsor; however these reports should not be relied upon for assurance on the reliability of their cybersecurity controls.
To assess your own controls and risk management, plan sponsors can engage experts to evaluate the hardware and software technology in place, test for weaknesses, and assess the condition of the overall environment. Regular tests should be performed to determine compliance with security policies and procedures. After assessing the environment, plan sponsors should identify the vulnerable areas and ways to strengthen the surrounding controls. All plan sponsors should develop an incident response and recovery plan before an intrusion occurs. This plan will need to be routinely reviewed, tested and updated to reflect changes in personnel and to remain relevant to technology changes. A well designed plan can help to limit the damage caused by an attack and reduce costs and recovery time. Plan sponsors should implement an employee cybersecurity training program to ensure their employees are prepared and educated on best practices for secure internet use. Training topics should include tips such as how to recognize phishing e-mails, how to strengthen passwords, and tips on the importance of applying the latest updates to software as they become available.
Ignorance is not bliss when it comes to cybersecurity. Everyone is at risk and must take preventative measures to decrease the threat of cybersecurity attacks and to ensure that they are protecting valuable employee information.