Cybersecurity: Implementing Best Practices for Plan Sponsors


Cyberattacks–attempts by criminals to deliberately and maliciously exploit computer systems to steal information or identities–have risen substantially over the past 16 years. According to the Federal Bureau of Investigation, since 2000, over 3.4 million internet crime-related complaints had been reported and in 2015 alone, over $1 billion in losses were reported, with nearly 290,000 complaints received.

Specifically, in the financial industry a 2013 examination conducted by the Securities and Exchange Commission (SEC) highlighted how common cyberattacks have become. Among over 100 broker-dealers and registered investment advisers examined, nearly 90% of broker-dealers and almost three-fourths of advisers experienced cyberattacks directly or through one or more of their vendors.

The 401(k) market is not immune to destructive cybercrimes, as the trillions of dollars invested in retirement plan accounts have enticed criminals.

Plan sponsors increasingly face the dual challenge of providing online access to participants’ retirement plans while keeping their information secure from cybercriminals. Once online, participants’ names, account information and social security numbers can be vulnerable to a data breach. In addition, plan participants tend to check their accounts infrequently compared to a bank account. These factors elevate the necessity for plan sponsors to implement and maintain a strategy as well as keep current on best practices in cybersecurity.

Cybersecurity For ERISA Fiduciaries

The 2016 Employee Retirement Income Security Act (ERISA) Advisory Council has acknowledged the increasing challenge faced by plan sponsors. With the varying size and complexity of plans, including the growth in retirement and health and welfare accounts, there cannot be a one-size-fits-all approach.

Therefore, complementing the work done in 2011 and 2015, the 2016 Council has begun to focus on scalable elements of management strategies that help minimize the exposure of a cyberattack on plan participants’ data. The Council anticipates that one of the outcomes of the meetings will be materials to help plan sponsors create a risk management strategy and incorporate cybersecurity into the vendor selection and monitoring process.

Multiple Vantage Points

In terms of developing a cybersecurity plan, plan sponsors should consider the possibility of security breaches from multiple vantage points including the following three:

  • Third-party vendors with access to firm networks or data have the potential to increase a plan sponsor’s cybersecurity risk in the event of a cyberattack. One notable example: The hackers who stole 40 million credit and debit card numbers from Target obtained access by stealing the login credential of a heating-and-air-conditioning contractor.
  • Employees could additionally cause a breach in cybersecurity. Many times, it’s an unintentional action such as misplacing a laptop, accessing client data through an unsecured internet connection or opening email messages and downloading attachments.
  • Plan participants can cause a breach individually which could be potentially damaging to a plan participant’s account. A few examples of cyberattacks on a retirement account include:
    • Via email, a criminal masquerades as a bank or institution that the victim has a relationship with to solicit personal data.
    • Criminals access personal data through the use of malicious software. »
    • Criminals collect information about their victims and withhold access to a computer system or account until a sum of money is paid.

Taking A Cue From The SEC

Due to the extensive damage that can be caused by a cyberattack, plan sponsors may want to enlist best practices now if they have not already done so. The Securities and Exchange Commission (SEC) has made cybersecurity a priority in 2016 when conducting examinations of registered broker-dealers and investment advisers. Its Risk Alert memo highlighted the following areas of focus to determine cybersecurity preparedness and provides a good starting point:

  • Governance and risk assessment processes tailored to the business. Are firms periodically evaluating cybersecurity risks? Are controls and risk assessment processes tailored to their business?
  • The implementation of rights and controls. How have firms prevented unauthorized access to systems or information? What kind of multifactor authentication could prevent unauthorized access?
  • Preventing data loss. How do firms monitor content transferred outside the firm by employees or third parties? How do firms verify the authenticity of a customer request to transfer funds?
  • Controls related to vendor management. How is vendor selection, monitoring and oversight and contract terms incorporated into the ongoing risk assessment process? How does the firm determine the appropriate level of due diligence on a vendor?
  • Employee and vendor training. Which vendors have network or data access and what controls are in place to mitigate cybersecurity risks? What training is facilitated with vendors? How do you conduct training tailored to job functions?
  • Responding to incidents. What are the firm’s policies and procedures related to cybersecurity incident response? Do you have a responsive remediation effort that will be taken in the event of a cyberattack?

While cybersecurity is complex, it is worth the time to study and adopt best practices and keep up with the changing cyber landscape. As always, your local ABG representative is available to you as a resource for any questions you may have.