Cybersecurity checklist for DC plan sponsors
Plan sponsors must prioritize effective security protocols to mitigate the threat of cyberattacks.
As of 2023, the FBI Internet Crime Complaint Center received
an average of over 2,400 cybersecurity complaints per day
and the losses reported due to investment scams become the
most of any crime type, as investment fraud losses in the US
spiked to $4.6 billion.1
1. Consider establishing a policy regarding cybersecurity monitoring or amend the committee charter. This can help define the oversight that will be conducted and the responsible parties within the organization. To ensure accountability and effectiveness, the committee should agree to perform and document specific actions related to cybersecurity monitoring. It is also important to regularly review this policy and committee charter.
2. Regularly communicate with participants regarding Department of Labor’s cybersecurity program’s best practices2 for protecting their accounts from cyber threats and fraud. This should include enrollment communication and annual communications specifically tailored to this topic. Use your recordkeeper to expand your messaging and document your efforts. For years, sponsors have directed participants to take a “set it and forget it” approach to their accounts, but active participants are more likely to identify a one-off breach of an account on a timely basis.
3. Review the annual audit report issued on your recordkeeper’s systems and processes to make sure any shortcomings affecting your plan are identified and addressed. To the extent that committee or internal company resources do not have expertise in this area, engage with an external resource to support the review process. Monitor recurring or significant issues to determine whether to take action on finding an alternative provider. Document audit activity within sponsor and committee records.
4. Flag any third parties or advisors that have access to your plan’s PII or participant financial information through the recordkeeper and determine what ongoing review of their practices should be conducted. Many recordkeepers outsource statement mailings or communications support that can require the sharing of participant data with third parties.
5. Understand your recordkeeper’s fraud policy, and request at least annual updates to see if any changes have been made. Although most recordkeepers are willing to make participants whole for losses incurred through no fault of the participant, some have begun to add stipulations regarding actions that the participant (or the sponsor) must take to be eligible. Confirm that the recordkeeper’s fraud policy extends to any contracted third parties.
6. Review the contract with the recordkeeper to help ensure it aligns with your organization’s expectations on:
- Use of participant data, particularly regarding services outside the qualified plan
- Financial commitments to reimburse participants if account breaches occur and duration of such commitments
- Timely notifications to you as plan sponsor regarding data security or fraud activity impacting your participants or systems
- Oversight of third parties contracted by the recordkeeper
- Level of support provided for the annual review of cyber practices and corresponding service level agreements
Engage an external expert to assist with contract review to ensure industry standards are being considered.
7. Conduct annual meetings between the recordkeeper and the committee regarding cybersecurity and include internal experts. Share with the committee materials prepared internally or externally reviewing the recordkeeper’s capabilities, and reflect the due diligence undertaken in meeting minutes.
8. When evaluating alternative recordkeepers, include cybersecurity and fraud prevention questions in any requests for proposal issued, and consider responses to those questions in the evaluation and selection process. To the extent that external parties are part of the service delivery (external custodians, partners for nonqualified plan services, etc.), confirm that all organizations are evaluated.
9. Use interim fee benchmarking projects to gather insight into marketplace practices and negotiate contractual changes or service enhancements where appropriate. Staying informed about market changes is essential to ensure that the incumbent remains up-to-date and, ideally, a market leader.
10. Engage internal IT or external DC plan specialist resources to review recordkeeper capabilities and contractual commitments. Recognizing that IT professionals do not necessarily have expertise in DC plan administration, consider whether an education session for the IT team would be helpful.
1 Source: FBI Internet Crime Complaint Center (IC3), 2023 Internet Crime Report
2 http://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/best-practices.pdf