Whether it is a robotic voice informing you that the IRS is going to sue you, your Instagram account being hacked, someone at your organization sending money in error thinking the directive came from the CEO, or a massive data breach like Equifax experienced, the world of hacking into people’s accounts is getting more sophisticated. Information security research firm and publisher Cybersecurity Ventures predicts that, by 2021, cyber-crime will run an annual cost of $6 trillion globally. As data breach headlines become more regular, pressure on organizations (including employers) to take appropriate precautions to safeguard sensitive personal data continues to grow. Retirement benefit plans seem particularly attractive targets with the abundance of sensitive personal data and hefty account balances. So, what can employers do with retirement partners and providers to ensure cybersecurity best practices are in place and risk management protocols are sufficient?
Over the past several years, our own firm has added dual authentication to our systems, file encryption capabilities, employed the use of a variety of tools, resources and software to keep data safe. We even go through annual training on cybersecurity, so we know what to look for and our IT department makes sure everyone is up to date on the latest news, threats, and trends. We have updated our policies and techniques which include collecting SOC1 and 2 reports from the providers we work with to ensure they have systems and controls in place for all processes, procedures in addition to privacy and cybersecurity policies. It has been a heavy lift to stay ahead of the game and we are encouraging our clients to do the same if you have not done so already. Your personal information and retirement savings deserve protection.
In April of this year, to safeguard the hard-earned account balances of your employees and their private details, the Department of Labor issued Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Recordkeepers and for Plan Participants. The guidance comes in three forms: Tips for Hiring a Service Provider; Cybersecurity Program Best Practices; and Online Security Tips (for participants and their beneficiaries). Knowing the basics of how your organization and the vendors you work with define a breach, who is responsible for the remedy and having a proactive risk management strategy are all critical components. It is good to note, ERISA has high expectations for plan fiduciaries when it comes to electronic dissemination of information and data privacy. Even if your plan is not governed by ERISA, we encourage following the protocols of plans that do.
Given this will be another area to audit, we are recommending our clients read through the three topics above and ask us for guidance and support so we can help you safeguard your plan, protect your people and your data.
While we continue to dodge emails full of malware or trojan horses and let the calls from robots go unanswered, our dedicated focus on making retirement plans the best they can be, will be coupled with being of service in this area to keep you cyber-aware and secure. Reach out with any questions to firstname.lastname@example.org and stay safe.