Cyber-crime is on the rise worldwide. As a result, growing numbers of organizations are taking critical steps to protecting their valuable electronic data from hackers and other cyber criminals — a process known as cybersecurity. It’s serious business, and a trend retirement plan sponsors and committees should pay attention to.
In 2015, IBM’s chair, president and CEO Ginni Rometty said, “Cyber-crime is the greatest threat to every company in the world.”1 Last year, billionaire investor and businessman Warren Buffett echoed that sentiment, claiming that “cyber-attacks are a bigger threat to humanity than nuclear weapons.”2 In short, cyber-crime is extremely dangerous, and many businesses are vulnerable to cyber-attacks — some without even knowing it.
Thanks largely to the proliferation of high-profile cyber-attacks and data breaches that hit organizations in 2017 (including Equifax, which exposed the personal information of nearly half of Americans), Gartner Group has estimated worldwide cybersecurity spending will reach $96 billion in 2018.3 Moreover, information security research firm and publisher Cybersecurity Ventures predicts that, by 2021, cybercrime will cost the world $6 trillion annually.4 A single successful cyber-attack can cost an organization more than $5 million, or $301 per employee, according to the Ponemon Institute. Clearly, the costs related to cybersecurity threats are significant.
Beyond the expenses related to a potential cyber-attack, there are a number of reasons why retirement plan sponsors and committees should focus on specific cybersecurity efforts to protect their plan assets and information. For starters, if you think your plan isn’t a target, think again. It’s not a matter of if, but when your plan gets hacked.
Here’s why: Recently, cyber attackers have begun to set their sights on plan sponsors themselves rather than their recordkeepers and custodians because they know that the former typically lack the sophisticated cybersecurity defenses of their vendors.
Cybercriminals also know that defined contribution (DC) plan sponsors and their vendors manage large amounts of money, and in so doing, collect highly sensitive personal data from plan participants and their beneficiaries, including names, address, birthdates, and Social Security numbers. This information is extremely valuable to hackers because most of it is permanently associated with an individual and can’t be changed or canceled like a credit card or bank account information.
Enrollment data such as account balance, direct deposit and compensation/payroll information is also at risk, and therefore, potentially vulnerable to a cyber attack if not properly handled and protected by plan sponsors and their third party vendors. Therefore, it’s critical for sponsors to address cybersecurity within their own organizations, as well with vendors such as recordkeepers, trustees, TPAs and investment advice providers, which receive personal data from the plan.
Some examples of cyber threats to retirement plans might include fraudulent distribution or loan requests, or ransomware attacks and phishing techniques where a hacker might obtain log-in credentials (i.e., through a stolen laptop or mobile device storing personal data and passwords) to access participants’ account information online.
While retirement plan information is protected under specific regulations, there are no comprehensive laws that protect plan sponsors and service providers against cyber threats, like there are for group health plans (i.e., the Health Insurance Portability and Accountability Act, or HIPAA). Nonetheless, plan sponsors must act in a fiduciary capacity under the best interest clauses of the Employee Retirement Security Income Act (ERISA), the law that governs retirement plans. In addition, sponsors must adhere to the data privacy requirements for electronic notices. The following graphic breaks down the regulatory guidelines for plan sponsors’ fiduciary duties related to cybersecurity and electronic distribution of plan information:
Several states also have laws governing the protection of employees’ social security numbers and employers’ responsibilities to notify employees in the event of a security breach. However, these laws are designed to regulate the employer rather than the plan sponsor, so ERISA would likely take precedence in a retirement plan-related cyber-attack.
Most organizations take a reactive approach to cyber-attacks, addressing them only after an incident has occurred. However, that can be expensive, complicated, and mostly ineffective.
Plan sponsors have an opportunity to proactively address and manage cybersecurity risks using a variety of tactics to improve their ability to prevent, detect and respond to cyber-attacks.
First off, assume that your company’s retirement plan will be attacked. When setting up defenses against cyber threats, consider addressing the following questions:
In addition, plan sponsors should:
Moreover, sponsors should also encourage plan participants to:
Cyber threats are evolving and becoming more sophisticated every year. As such, plan sponsors must do their best to try to stay one step ahead of hackers by heightening their cybersecurity defenses to protect the personal information of participants and their beneficiaries.
Retirement plan fiduciaries can take proactive steps to help secure sensitive retirement plan data. The challenge for many is knowing where to start. We hope this article provided several key steps plan sponsors and retirement committees can take to boost their cybersecurity protections and fortify their plans against insidious cyber-attacks.
To learn more about our 401(k) services for employers, please click here.
1Morgan, Steve. “Top 5 Cybersecurity Facts, Figures and Statistics for 2018.” Jan. 2018.
2Oyedele, Akin. “BUFFETT: This is the number one problem with mankind.” May 2017.
3Crowe, Jonathan. “10 Must-Know Cybersecurity Statistics for 2018.” Feb. 2018.
4Morgan, Steve. “Cybercrime Damages $6 Trillion By 2021.” Oct. 2018.
Privacy Policy | Disclosures | Cookie Preferences | Do Not Sell or Share My Personal Information
Advisory services offered through Allworth Financial, a Registered Investment Advisor | Disclosures | Privacy Policy
Securities offered through AW Securities, a Registered Broker/Dealer, member FINRA/SIPC. Check the background of this firm on FINRA's BrokerCheck.
HMRN Insurance Agency, LLC license #0D34087
1Barron’s 2024 Top 100 RIA Firms. Barron's© magazine is a trademark of Dow Jones L.P. The ranking of independent advisory companies is based on assets managed by the firms, growth, technology spending, succession planning, and other metrics.
2 Retention Rate Source: Allworth Internal Data, FY 2022
3 The NBRI Circle of Excellence Award is bestowed upon NBRI clients meeting one or both of the following criteria: Total Company score at or above the 75th percentile of the NBRI ClearPath Benchmarking Database and/or improvement of five (5) or more benchmarking percentiles in Total Company score over the previous survey.
4 As of 7/1/2024, Allworth Financial, an SEC registered investment adviser and AW Securities, a registered broker/dealer have approximately $22.5 billion in total assets under management and administration.
5 InvestmentNews 2020 and 2021 Best Places to Work for Financial Advisers. The ranking reflects survey responses and scores completed by both employers and employees. Employers report their organization’s workplace policies, practices, and demographics. Employees complete a survey designed to measure the employee experience.
6 2021 Value of an Advisor Study / Russel Investments
7 Ranked 9th Top Wealth Managers By Growth in Assets in the U.S. from RIA Channel, 2022. RIA Database and RIA Channel are registered trademarks owned by Labworks, LLC.
8 USA Today Best Financial Advisory Firms 2024. The ranking is based on the growth of the companies’ assets under management (AUM) over the short and long term and the number of recommendations they received from clients and peers.
9 NBRI Best in Class Ethics 2023. The Best in Class level is bestowed upon clients performing at or above 90 percentile of the NBRI ClearPath Benchmarking Database.
✢ Scott Hanson, Investment Advisor 2005, 25 most influential people in the financial services industry. The ranking reflects 25 people who Investment Advisor magazine believes have had or will have the greatest influence on the financial services industry.
✼Pat McClain, InvestmentNews 2014, Invest in Others Community Service Award, presented to an advisor who has made an outstanding impact on a community through managerial contributions to a non-profit organization.
†Financial Times, FT 300 Top Registered Investment Advisers, June 2019. The ranking reflects six areas of consideration including the company's years in existence, industry certifications of key employees, AUM, asset growth, SEC compliance record and online accessibility and calculates a numeric score for each company.
Certified Financial Planner Board of Standards Inc. owns the certification marks CFP®, CERTIFIED FINANCIAL PLANNER™, CFP® (with plaque design) and CFP® (with flame design) in the U.S., which it awards to individuals who successfully complete CFP Board's initial and ongoing certification requirements.
Important Information
The information presented is for educational purposes only and is not intended to be a comprehensive analysis of the topics discussed. It should not be interpreted as personalized investment advice or relied upon as such.
Allworth Financial, LP (“Allworth”) makes no representations or warranties as to the accuracy, timeliness, suitability, completeness, or relevance of the information presented. While efforts are made to ensure the information’s accuracy, it is subject to change without notice. Allworth conducts a reasonable inquiry to determine that information provided by third party sources is reasonable, but cannot guarantee its accuracy or completeness. Opinions expressed are also subject to change without notice and should not be construed as investment advice.
The information is not intended to convey any implicit or explicit guarantee or sense of assurance that, if followed, any investment strategies referenced will produce a positive or desired outcome. All investments involve risk, including the potential loss of principal. There can be no assurance that any investment strategy or decision will achieve its intended objectives or result in a positive return. It is important to carefully consider your investment goals, risk tolerance, and seek professional advice before making any investment decisions.