Protecting Retirement Plan Data in a Virtual World

The more virtual our world becomes, the more important it is we safeguard our information online. Taking steps to achieve cybersecurity is vital, and for retirement plan fiduciaries, an important part of their duty. The U.S. Department of Labor (DOL) provides guidance for plan fiduciaries that helps them protect the personal information of their participants online.

The Employee Benefits Security Administration (EBSA), an agency under the DOL, shared data that demonstrates how critical it is for online information to be securely held. In 2018, over 140 million Americans were participating in either defined benefit or defined contribution plans. Altogether, these plans cover assets worth approximately $9.3 trillion – making the plans a huge target in our current environment that saw nearly 4,000 data breaches in 2020. If the data of these plans is compromised, so are the assets.

The DOL doesn’t expect plan fiduciaries to be cybersecurity experts; however, they do expect them to take adequate measures to reduce cybersecurity risks. To assist fiduciaries and other involved parties, EBSA issued cybersecurity guidance. According to EBSA, three broad steps are key to ensuring retirement benefits and personal information are protected:

1. Hire a retirement plan provider with strong cybersecurity procedures.
2. Follow EBSA’s cybersecurity program best practices
3. Encourage participant engagement in your online security measures

Hiring Secure Service Providers Business owners who outsource their retirement plan management must ensure they work with providers that follow strong cybersecurity practices. The DOL encourages plan sponsors to regularly audit their providers, asking the following questions:

• What are the provider’s information security standards, practices and policies?
• Does the service provider follow a recognized standard for information security and utilize an outside/third-party auditor to review and validate cybersecurity?
• What level of security standards has the provider met and implemented?
• Has the provider ever had a security breach, and, if so, how did they handle it?
• Does the provider have insurance policies that would cover losses caused by cybersecurity breaches?

The DOL also encourages taking matters into your own hands – monitoring the cybersecurity practices and history of your service provider, while ensuring your contract with the provider emphasizes information security standards. See the?DOL’s Tips for Hiring Service Providers ?for more actions to take.

Cybersecurity Program Best Practices EBSA issued 12 best practices for cybersecurity as it relates to retirement plan-related IT systems and data. Several fundamental best practices are listed here (for the full list and a detailed description of each, see the?DOL’s Cybersecurity Program Best Practices ):

• Conduct annual risk assessments to identify, estimate and prioritize information system risks
• Have an annual third-party audit to assess your security controls and provide a clear, unbiased report of risks, vulnerabilities and weaknesses
• Clearly define and assign information security roles and responsibilities to qualified personnel
• Conduct periodic cybersecurity awareness training to set clear expectations and educate employees
• Protect nonpublic information by encrypting sensitive data

Encouraging Participant Buy-in Fiduciaries and service providers are not the only groups who play a role in protecting private plan information online – plan participants must realize they are part of the cybersecurity solution, too. Even if an organization implements strong cybersecurity policies and practices, data is still vulnerable if participants are careless with their passwords, accounts and online behavior. Fiduciaries can pass along the?DOL’s Online Security Tips ?to encourage participants to prioritize data privacy. Plan participants should be educated on how to:

• Register, set up and regularly monitor their accounts
• Use strong passwords and multi-factor authentication
• Keep contact information updated
• Delete unused accounts
• Be cautious of free public Wi-Fi
• Use antivirus software and keep apps and software updated
• Recognize, avoid and report phishing attacks and other cybersecurity threats

In accordance with their guidance, the DOL expects fiduciaries, service providers and plan participants to take strong measures to protect retirement plan information online. Working together, all parties can share responsibility for cybersecurity and protection of plan data and assets.

Investment Advisory Services offered through Boulay Financial Advisors, LLC a SEC Registered Investment Advisor. Certain Third Party Money Management offered through Valmark Advisers, Inc. a SEC Registered Investment Advisor. Securities offered through Valmark Securities, Inc. Member FINRA, SIPC 130 Springside Drive, Suite 300 Akron Ohio 44333-2431* 1-800-765-5201

Boulay PLLP and Boulay Financial Advisors, LLC are separate entities from Valmark Securities, Inc. and Valmark Advisers, Inc. Prime Global is not affiliated with Valmark Securities, Inc. and Valmark Advisers, Inc.