PSNC 2023: Cybersecurity Best Practices for Plan Sponsors

Experts note the importance of participant education and reviewing insurance held by vendors.

In talking about the risk faced by retirement savings plans from digital attacks, Larry Crocker, founder and CEO of Fiduciary Consulting Group, referred to famed bank robber Willie Sutton.

“When asked why he robbed banks, what was Willy’s response?” he asked an audience at the PLANSPONSOR National Conference in Orlando, Florida, last Thursday. Sutton’s retort, as noted by Crocker, was: “’That’s where the money is!’”

Retirement plans, Crocker told the audience of plan sponsors, are a target today because that is where so much wealth is held by American savers. It is therefore crucial for retirement plan committees—and their advisers—to engage in cybersecurity discussion and reviews as an ongoing part of their work, experts said during a panel session.

From left to right, Larry Crocker, Daniel Esch and Percy Lee. Photograph by Matt Kalinowski



As a guiding document, plan sponsors and advisers can start with the Department of Labor’s 2021 cybersecurity guidance, said attorney Percy Lee, of Ivins, Phillips & Barker, Chartered. This guidance is not law, Lee noted, but it is intended to guide fiduciaries on what regulators would look for in an audit.

The DOL advises plan sponsors to carefully vet third-party retirement service providers in terms of their digital standards and history, Lee said. Sponsors should have a review process that considers any record of cyber incidents, what a vendor’s response would be if they experienced a breach, and whether the firm’s cyber insurance covers the service provider, as well as any third party they are using, Lee said.

These conversations, while convenient when choosing a provider, should continue on a regular basis, Lee noted. “Part of your fiduciary governance is to maintain that conversation and to have regular fiduciary meetings and to hear reports from your providers, especially plan recordkeepers who have access to your plan assets and data,” Lee said.

Crocker noted that the DOL document for service provider reviews is two pages, the participant review handout is two pages and the employer document is four pages—alluding to the fact that employers bear the biggest cybersecurity burden.

“As this environment has changed, hopefully your items on your retirement plan committee have changed,” he said. “Hopefully there has been an extension to members of IT [to join the plan committee].”

Daniel Esch, a senior vice president and financial adviser with CAPTRUST, confirmed that since the DOL 2021 guidance, he has seen retirement plan committees add cybersecurity to their agendas and focus areas.

One thing Esch said he finds surprising when working with companies is that they often are not aware of the rate at which participants have—or have not—logged in and authenticated their retirement accounts. He said some companies show statistics of 50% to 60% of their participants having never gone in to set up their accounts, in part due to the growing practice of automatic enrollment.

“Those [accounts] are just sitting ducks for the cyber criminals to attack, because they take over the account authentication process extremely easily,” he said. “One of the very first things we advise plan sponsors on is looking at what percentage of your participants have authenticated their accounts overall.”

Esch also advised that retirement plan committees send communication to participants, whether from the plan sponsor or the recordkeeper, talking about good habits or “good hygiene,” as it relates to protecting participant data.

Esch noted that CAPTRUST helps with recordkeeper evaluations with the largest 15 or so providers. “100% of the clients that I work with want this report and will document it in their [committee meeting] minutes,” Esch said.

Fiduciary Crocker went on to list a few resources that plan sponsors and advisers can try for information and services—some, paid some unpaid—on cybersecurity. That list included: The Cybersecurity and Infrastructure Security Agency, part of the United States Department of Homeland Security; KnowBe4, a firm that provides cybersecurity training to employees; and the Centre for Fiduciary Excellence, which provides cybersecurity certification for firms.

Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news.

«