Cybersecurity for Retirement Plans

/by Pauline Haren
federal workers - Aubrey Lovegrove

Since our lives have become quite intertwined more and more with technology, cybersecurity is a very critical issue in this day and age.

As many fraudulent activities and data breaches have been seen throughout the years, retirement plans have not gone unscathed.

For instance, in 2008, State Street Corporation alerted their employees and individual customers of Investors Financial Services Corporation (also known as IBT, a company State Street Corporation took over the year before the incident) that personal information was vulnerable as the computer equipment it was on was taken from a facility of a legal support vendor.

Fast forward four years later, and the participants of the Federal TSP had their data in jeopardy because of a cyber attack.

Two years after that, in 2915, the Independent School District revealed that a drive holding over 11,000 403(b) and 457(b)account holders had been misplaced.

Another incident had an Estee Lauder 401(K) past participant suing the company and the plan provider as someone had stolen almost $100,000 from their account with three different withdrawals that were not authorized by the plan participant.

These events, along with many others, show that there must be more priority on strengthening the cybersecurity for retirement plans.

It is still undecided in U.S. courts on if overseeing cybersecurity is a guardianship matter. However, the Employee Retirement Income Security Act Advisory Council has requested that the Department of Labor assist with cybersecurity.

Plan sponsors want to ensure that the retirement plan providers are putting in measures to safeguard the personal information of the participants. The providers themselves are prioritizing the issue if giving out confidential matters.

To resolve this matter, the Spark Institute developed a strategy that plan providers can follow to disclose their cybersecurity measures.

Plan providers will use a third-party auditor that will go over 16 data security matters. Every report done by the auditor must have detailed information that includes the 16 control objectives of SPARK, which are: risk.

Those 16 control objectives are access control, asset management, business resiliency, cloud security, communications, and operations management, compliance, encryption, human resource security, incident, and communications management, information systems acquisition development, mobile, organizational security, physical and environmental security, risk assessment and treatment, security policy, and supplier risk.

Then the plan sponsor can compare different plan providers based on the same standards to select which plan to go with.

However, the defense plan should not just be on the provider but the sponsors and those that do the record-keeping as well. Both parties will have to come up with procedures that prevent fraudulent activities that are in writing and followed to a T.

They should also be prioritizing the insurance of security rather than speed efficiency as focus on speed has left data vulnerable to fraud compromisation.

Experts also recommend that sponsors and record keepers should make sure that accounts should be reconciled, cleared, and distributed as much as possible with no errors and each transaction approved and identified.

If there are payments that go uncashed, there should be procedures on communicating with the recipient and having a specific timeframe as to when the money should be returned to the retirement account.

Checks and balances should also be implemented experts as no one person should be able to alter contact information along with resending a payment. These tasks should be handled by separate workers to add another layer of defense to protect participants.

If a person should be able to do both, there should be strict guidelines on processing the changes and issuance for approval. So every transaction should be documented for auditing, whether done manually or within a system.

There should also be a policy for sponsors to have extensive background checks in place for anybody that should have access to sensitive plan data. It should also be done continuously and not just at the beginning of someone’s start of their job.

Other experts state that sponsors should make sure that their insurance policies cover cybersecurity issues. There are riders and also complete insurance policies when it comes to cybersecurity.

Sponsors should also be researching service providers with how they handle matters of cybersecurity within their contracts. The contract should state how they are going to utilize the plan data. It should also say what they do with the information they no longer need, such as encrypting and destroying the data.

The contract should also state what will be done in response to a cybersecurity breach and what they are doing to ensure this does not happen. Sponsors should look for verbiage in regards to who is liable if there is a break and if there will be compensation.

Some plan providers have guarantees on cybersecurity.

Participants should also take on responsibility for safeguarding their information. An essential thing to do is to make sure that they are signed up online to avoid anyone else signing up for them.

Some individuals have the misconception that not signing up for an online account is more secure than having one. However, that is not true as some criminals will try to set up online access to provide the contact information needed to have access to the account.

Participants should also be sure to use a strong password. There are password generators out there that can assist with creating one. Two-step authentication allows people to access their accounts with many steps rather than just one.

They should also have updated anti-virus and anti-malware software on their devices.

They should also be wary of clicking on links from people they do not know.

Another significant security factor is to know what information they are putting up online through their social media. Information such as what city they reside in and what company they are employed in can leave a vulnerability for criminals.

Those that are Federal TSP participants should have had online security measures updated to be more complex than before with two-step authentication for online access and validating their contact information.

Though more secure for participants, it is very likely that many will complain about the inconvenience. However, a little inconvenience is worth being more protected from fraudulent activities.

retirement security funds money saved

Other Pauline Haren Articles

About Social Security Disability Benefits

Retirees and COLAs VS. Current Feds and Pay Increases

Should You Be Saving in A Traditional IRA or a Roth Account?

Important Things To Factor For Having Enough Money In Retirement

Leave a Reply



TSP & Retirement

Is TSP 2020 the Scariest Roller-Coaster Ride or a Merry-go-Round? By: Marvin Dutton

TSP Approves Budget for 2022 Fiscal Year. By: Aaron Steele

Social Security Benefits Might See the Largest Increase Since 1983

View All

Related Posts