In light of the Department of Labor (DOL) auditing 401(k) plans and requiring explanation and documentation of an organization’s approach to cybersecurity, it is important for employers to understand where the cyber risks are in 401(k) plans, what questions they need to have ready answers to and how Smith and Howard can step in and help.
If your company administers 401(k) plans, or other defined contribution plans, on the behalf of your employees, you have certain fiduciary responsibilities. A major element of this is the investment options you present to plan participants, but equally important is the cybersecurity policies you have in place to secure sensitive information.
In 2021, upwards of 60 million Americans participated in 401(k) plans, with millions more seniors accessing their funds to support their retirement. In sum, Americans had some $7.3 trillion invested in 401(k) plans in September 2021. With so much money at stake, 401(k) plans have become an attractive target for cyberattackers. Since the onset of the pandemic, there’s been a huge uptick in the number of cyberattacks, and attempted breaches of 401(k) plans are no exception.
As a plan sponsor, a business has access to a wide variety of privileged information for these individuals, ranging from employees’ social security numbers to the performance of their retirement accounts. If a company’s information systems were compromised, it could spell disaster for your employees’ retirement plans and other personal financial accounts, not to mention the reputation of your company.
To fulfill their fiduciary duties, its imperative plan sponsors have robust cybersecurity policies in place to effectively safeguard the data of their plan participants. Recent DOL audits have included cybersecurity questionnaires that assess the security infrastructure of plan sponsors. Its crucial plan sponsors proactively invest in upgrading their cybersecurity infrastructure with the support of a partner like Smith and Howard, rather than wait for security shortcomings to be exposed by an audit.
In this guide, we will explore the cybersecurity policies and best practices plan administrators should adopt to harden their security infrastructure and better protect their employees’ hard-earned retirement savings.
In April 2021, the U.S. Department of Labor released its much-anticipated cybersecurity guidance for 401(k) plan sponsors, participants, record keepers, and plan administrators. The guidance applies to all plan sponsors subject to Employee Retirement Income Security Act (ERISA) regulations.
This was the first time such guidance had been released, and many analysts believe it came in response to the increasing number of emerging cyber threats in this field.
The rapid shift to remote work marked a significant change in the working practices of many plan sponsors. Documents that were completed and stored physically transitioned to digital environments. This wasn’t unique to 401(k) plan sponsors––it was a pattern evident across practically every industry.
The almost overnight pivot to remote working environments presented all kinds of new opportunities to cyberattackers. This resulted in a significant increase in cyberattacks. In 2021, there was a 15.6% increase in cyberattacks. Businesses are typically ill-equipped to effectively defend themselves, with just half of U.S. businesses having a cybersecurity risk plan in place.
If major security breaches can happen to Fortune 100 firms with entire teams of cybersecurity professionals, there’s no question they could happen to your business. Each new security incident underscores the importance for all businesses to take steps to protect themselves and their staff and to have a plan in place to address a future cyberattack.
Plan administrators in particular need to be aware of their fiduciary obligations. They’re the professionals tasked with submitting contributions and handling sensitive data. While the majority of record-keepers––financial services institutions like Fidelity and Vanguard––have extremely sophisticated cybersecurity infrastructures, these are less consistent in small to mid-sized businesses. Even so, no one is immune.
Adhering to cybersecurity best practices is vital in ensuring that highly confidential data remains secure. These best practices include:
You should consider all of these best practices as must-haves, not nice-to-haves. The DOL can audit any 401(k) plan and is actively doing this in the field. In the event of such an audit, you’ll be required to fully explain your organization’s approach to cybersecurity. Keep in mind that it is a costly and arduous process to undergo an audit. Certain responses, technology systems, a protocol, and proof will have to be available and the process could be far from simple.
At Smith and Howard, we ask our clients the following questions to ensure their cybersecurity infrastructures are set up for success:
Ideally, the answer should be a resounding “yes” to all of these questions, except for the last one. If the answer is no, or are unsure of your company’s answers to these questions, it’s likely you require guidance navigating your cybersecurity responsibilities.
In cybersecurity, it’s always best to proactively address these issues. The unappealing alternative is to wait for these issues to be flagged as a governance issue in the process of an audit, or worse, cause a security breach.
At Smith and Howard, our Cyber Risk Management + Compliance practice provides strategic, actionable solutions that enable organizations to fulfill their fiduciary responsibilities. The best first step is often a cyber risk assessment. These assessments identify key priorities and outline a path to addressing your organization’s most pressing issues.
If you have any questions and would like to connect with a team member please call 404-874-6244 or contact an advisor below.
CONTACT AN ADVISOR