Defined contribution plans and their partners share many important pieces of personally identifiable information (PII). Therefore, plan administrators should implement measures to protect PII and their participants from cyberattacks wherever possible.

Cybersecurity and Your Retirement Plan – Are Your Participants at Risk?

Health-and-wellness
Health Modification Can Increase Retirement Dollars
August 31, 2018
Target Plan Evaluation
Use Plan Analytics to Evaluate Your Retirement Plan
September 10, 2018
Health-and-wellness
Health Modification Can Increase Retirement Dollars
August 31, 2018
Target Plan Evaluation
Use Plan Analytics to Evaluate Your Retirement Plan
September 10, 2018
Cybersecurity and Your Retirement Plan – Are Your Participants at Risk?

Defined contribution plans and their partners share many important pieces of personally identifiable information (PII). Therefore, plan administrators should implement measures to protect PII and their participants from cyberattacks wherever possible.

Types of PII that are shared in normal, day-to-day plan activity can include:

  • Name
  • Date of birth
  • Social Security number (SSN)
  • Address
  • Email address
  • Bank account information
  • Account balance
  • Compensation data

Plans using paper forms for enrollment, account statements, or other reasons – particularly when SSNs are used – present additional risks to participant accounts because much of the above information is presented together, with few to no security controls.

Both the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) have adopted a series of requirements for financial institutions servicing defined contribution plans. Financial service providers are required to develop and implement various security and confidentiality procedures and tools designed to detect fraud and theft. These requirements generally apply to a plan’s consultants, investment advisors, and service providers.

What can be done to improve security and minimize the risk of fraud to participant accounts?

There are two initial steps a plan sponsor can take to help reduce the risk of cyberattacks. First, encourage all participants to set up an online account. Without an online account, the participant’s vulnerability to fraud is greatly increased, because it allows hackers to set up new online accounts and gain access to a participant’s funds. Second, plan sponsors can request a copy of a provider’s Report on Controls SOC-II, an audit report describing an organization’s internal controls and attesting to their strength.

The National Association of Government Defined Contribution Administrators (NAGDCA) published a brief on cybersecurity, read it here. 

Stay in Touch!

Subscribe to Our Monthly Newsletter & Never Miss a Duncan Detail!

One call. One company. ALL under one roof.