Cyber-crime is on the rise worldwide. As a result, growing numbers of organizations are taking critical steps to protecting their valuable electronic data from hackers and other cyber criminals — a process known as cybersecurity. It’s serious business, and a trend retirement plan sponsors and committees should pay attention to.
In 2015, IBM’s chair, president and CEO Ginni Rometty said, “Cyber-crime is the greatest threat to every company in the world.”1 Last year, billionaire investor and businessman Warren Buffett echoed that sentiment, claiming that “cyber-attacks are a bigger threat to humanity than nuclear weapons.”2 In short, cyber-crime is extremely dangerous, and many businesses are vulnerable to cyber-attacks — some without even knowing it.
Why is cybersecurity important?
Thanks largely to the proliferation of high-profile cyber-attacks and data breaches that hit organizations in 2017 (including Equifax, which exposed the personal information of nearly half of Americans), Gartner Group has estimated worldwide cybersecurity spending will reach $96 billion in 2018.3 Moreover, information security research firm and publisher Cybersecurity Ventures predicts that, by 2021, cybercrime will cost the world $6 trillion annually.4 A single successful cyber-attack can cost an organization more than $5 million, or $301 per employee, according to the Ponemon Institute. Clearly, the costs related to cybersecurity threats are significant.
Beyond the expenses related to a potential cyber-attack, there are a number of reasons why retirement plan sponsors and committees should focus on specific cybersecurity efforts to protect their plan assets and information. For starters, if you think your plan isn’t a target, think again. It’s not a matter of if, but when your plan gets hacked.
Here’s why: Recently, cyber attackers have begun to set their sights on plan sponsors themselves rather than their recordkeepers and custodians because they know that the former typically lack the sophisticated cybersecurity defenses of their vendors.
Cybercriminals also know that defined contribution (DC) plan sponsors and their vendors manage large amounts of money, and in so doing, collect highly sensitive personal data from plan participants and their beneficiaries, including names, address, birthdates, and Social Security numbers. This information is extremely valuable to hackers because most of it is permanently associated with an individual and can’t be changed or canceled like a credit card or bank account information.
Enrollment data such as account balance, direct deposit and compensation/payroll information is also at risk, and therefore, potentially vulnerable to a cyber attack if not properly handled and protected by plan sponsors and their third party vendors. Therefore, it’s critical for sponsors to address cybersecurity within their own organizations, as well with vendors such as recordkeepers, trustees, TPAs and investment advice providers, which receive personal data from the plan.
Some examples of cyber threats to retirement plans might include fraudulent distribution or loan requests, or ransomware attacks and phishing techniques where a hacker might obtain log-in credentials (i.e., through a stolen laptop or mobile device storing personal data and passwords) to access participants’ account information online.
What is my responsibility?
While retirement plan information is protected under specific regulations, there are no comprehensive laws that protect plan sponsors and service providers against cyber threats, like there are for group health plans (i.e., the Health Insurance Portability and Accountability Act, or HIPAA). Nonetheless, plan sponsors must act in a fiduciary capacity under the best interest clauses of the Employee Retirement Security Income Act (ERISA), the law that governs retirement plans. In addition, sponsors must adhere to the data privacy requirements for electronic notices. The following graphic breaks down the regulatory guidelines for plan sponsors’ fiduciary duties related to cybersecurity and electronic distribution of plan information: