Cybersecurity Policies on 401(k) Plans

In light of the Department of Labor (DOL) auditing 401(k) plans and requiring explanation and documentation of an organization’s approach to cybersecurity, it is important for employers to understand where the cyber risks are in 401(k) plans, what questions they need to have ready answers to and how Smith and Howard can step in and help.

If your company administers 401(k) plans, or other defined contribution plans, on the behalf of your employees, you have certain fiduciary responsibilities. A major element of this is the investment options you present to plan participants, but equally important is the cybersecurity policies you have in place to secure sensitive information. 

In 2021, upwards of 60 million Americans participated in 401(k) plans, with millions more seniors accessing their funds to support their retirement. In sum, Americans had some $7.3 trillion invested in 401(k) plans in September 2021. With so much money at stake, 401(k) plans have become an attractive target for cyberattackers. Since the onset of the pandemic, there’s been a huge uptick in the number of cyberattacks, and attempted breaches of 401(k) plans are no exception. 

As a plan sponsor, a business has access to a wide variety of privileged information for these individuals, ranging from employees’ social security numbers to the performance of their retirement accounts. If a company’s information systems were compromised, it could spell disaster for your employees’ retirement plans and other personal financial accounts, not to mention the reputation of your company. 

To fulfill their fiduciary duties, its imperative plan sponsors have robust cybersecurity policies in place to effectively safeguard the data of their plan participants. Recent DOL audits have included cybersecurity questionnaires that assess the security infrastructure of plan sponsors. Its crucial plan sponsors proactively invest in upgrading their cybersecurity infrastructure with the support of a partner like Smith and Howard, rather than wait for security shortcomings to be exposed by an audit.

In this guide, we will explore the cybersecurity policies and best practices plan administrators should adopt to harden their security infrastructure and better protect their employees’ hard-earned retirement savings. 

The Renewed Focus on Cybersecurity Policies for 401(k) Plans

In April 2021, the U.S. Department of Labor released its much-anticipated cybersecurity guidance for 401(k) plan sponsors, participants, record keepers, and plan administrators. The guidance applies to all plan sponsors subject to Employee Retirement Income Security Act (ERISA) regulations. 

This was the first time such guidance had been released, and many analysts believe it came in response to the increasing number of emerging cyber threats in this field. 

The rapid shift to remote work marked a significant change in the working practices of many plan sponsors. Documents that were completed and stored physically transitioned to digital environments. This wasn’t unique to 401(k) plan sponsors––it was a pattern evident across practically every industry. 

The almost overnight pivot to remote working environments presented all kinds of new opportunities to cyberattackers. This resulted in a significant increase in cyberattacks. In 2021, there was a 15.6% increase in cyberattacks. Businesses are typically ill-equipped to effectively defend themselves, with just half of U.S. businesses having a cybersecurity risk plan in place. 

If major security breaches can happen to Fortune 100 firms with entire teams of cybersecurity professionals, there’s no question they could happen to your business. Each new security incident underscores the importance for all businesses to take steps to protect themselves and their staff and to have a plan in place to address a future cyberattack.  

Plan administrators in particular need to be aware of their fiduciary obligations. They’re the professionals tasked with submitting contributions and handling sensitive data. While the majority of record-keepers––financial services institutions like Fidelity and Vanguard––have extremely sophisticated cybersecurity infrastructures, these are less consistent in small to mid-sized businesses. Even so, no one is immune.

Best Practices for Plan Sponsors

Adhering to cybersecurity best practices is vital in ensuring that highly confidential data remains secure. These best practices include:

• Password Management: it’s important that all users––not just those tasked with plan administration––embrace robust password management techniques. In practice, that means regularly changing passwords and choosing passwords with a mix of uppercase characters, lowercase characters, numbers, and symbols. 

• Access Management: the devices belonging to those tasked with managing defined contribution plans within an organization should be subject to heightened security measures. Consider mandating that these employees use a Virtual Private Network (VPN) while working and enforce multi-factor authentication on all of their accounts. 

• Data Encryption: confidential information should only ever be sent in an encrypted format over secure networks.

• Employee Training: all employees should receive regular cybersecurity training, especially on topics such as how to spot phishing emails. Many providers of these training programs also offer simulated phishing tests that enable employers to understand which employees present a security risk. 

• Disaster Recovery Plan: in the event of a cybersecurity incident, it’s vital to have a disaster recovery plan in place. These plans shape the organization’s response in the minutes, hours, and days following a cyberattack and minimize the potential damage caused by a security breach. 

You should consider all of these best practices as must-haves, not nice-to-haves. The DOL can audit any 401(k) plan and is actively doing this in the field. In the event of such an audit, you’ll be required to fully explain your organization’s approach to cybersecurity. Keep in mind that it is a costly and arduous process to undergo an audit. Certain responses, technology systems, a protocol, and proof will have to be available and the process could be far from simple.

Cybersecurity Audit Checklist

At Smith and Howard, we ask our clients the following questions to ensure their cybersecurity infrastructures are set up for success:

1. Do you have a formal cybersecurity program?
2. Do you have access controls and identity management, including any use of multi-factor authentication?
3. Do you have a disaster recovery plan?
4. Do you have a policy for managing vendors and third-party service providers, including notification protocols for cybersecurity events and the use of data for any purpose other than the direct performance of their duties?
5. Do you have cybersecurity awareness training?
6. Do you have encryption to protect all sensitive information transmitted, stored, or in transit?
7. Has there been a recent cybersecurity breach?

Ideally, the answer should be a resounding “yes” to all of these questions, except for the last one. If the answer is no, or are unsure of your company’s answers to these questions, it’s likely you require guidance navigating your cybersecurity responsibilities. 

In cybersecurity, it’s always best to proactively address these issues. The unappealing alternative is to wait for these issues to be flagged as a governance issue in the process of an audit, or worse, cause a security breach. 

At Smith and Howard, our Cyber Risk Management + Compliance practice provides strategic, actionable solutions that enable organizations to fulfill their fiduciary responsibilities. The best first step is often a cyber risk assessment. These assessments identify key priorities and outline a path to addressing your organization’s most pressing issues. 

Contact an advisor today to learn more.