Compliance January 27, 2025

What Is a Proper Cybersecurity Policy for a Retirement Plan?

Plan fiduciaries should consider third-party audits, multi-factor authentication, cyber insurance and more when developing a written cybersecurity policy.

Reported by

Remy Samuels

As participant data and plan assets increasingly are the target of cybersecurity and ransomware attacks, it is important that plan fiduciaries have pre-established procedures in place to protect themselves in the instance that a breach occurs.

Developing a written cybersecurity policy with specific required procedures is necessary for plan sponsors to uphold their fiduciary duty and comply with Department of Labor standards, according to an insight brief published law firm Cohen & Buckmann P.C.

For more stories like this, sign up for the PLANADVISERdash daily newsletter. 

“Although it isn’t specifically required by law, a written cybersecurity policy should be given the same importance as the plan’s investment policy statement, missing participant procedures … and loan procedures,” attorney Carol Buckmann wrote. “And given the frequency with which new kinds of threats and attacks occur, the cybersecurity policy will need to be reviewed and updated on a regular basis.”

The DOL updated its cybersecurity guidance in September for retirement plans and health and welfare plans covered by the Employee Retirement Income Security Act. The DOL also offers guidance for hiring service providers with strong cybersecurity practices.

While ERISA does not specifically mention cybersecurity, the fiduciary duty of prudence and to act in the best interest of participants include safeguarding sensitive personal and account information.

Cohen & Buckmann recommends considering several factors when developing a cyber policy.

For plan fiduciaries with access to personal data or participants’ investment accounts, Buckmann wrote that training is needed to make sure that the individuals with access to the information do not respond to phishing attempts or inadvertently install malware on their computers.

Training about cyber security is also important for employees at recordkeeping firms, as several recent lawsuits by participants whose accounts were accessed by hackers resulted from attacks made possible by human error.

Fidelity Investments was sued in October, for example, after the personal information of 77,000 customers was exposed. Plaintiffs alleged that the recordkeeper failed to implement “adequate and reasonable measures” to ensure their computer systems were protected.

The case, Gluck et al v. Fidelity Investments, is currently pending in the U.S. District Court of Massachusetts (Boston).

Plan fiduciaries should also insist recordkeepers and other providers offer multi-factor authentication for accounts in their plans, according to Cohen & Buckmann, as it significantly lowers the risk of hacking by requiring users to utilize multiple channels of authentication. Cybercriminals may be able to guess passwords and user names, but it is more difficult for them to provide further substantiation, such as a one-time code sent to a participant’s cell phone.

In addition, it is important that any service providers with access to data or that have authority to direct investments should have regular third-party audits of their systems and perform regular penetration tests—as authorized simulated cyberattacks are known. When conducting requests for proposals for service providers, fiduciaries could ask whether providers are frequently receiving third-party audits of their systems.

Because many providers use subcontractors to perform certain services for the plan, it is also essential that subcontractors are subject to the same scrutiny. If a subcontractor experiences a breach, it can have a ripple effect and expose plan participants’ data to hackers.

Plan sponsors should also seek to understand what happens to plan data when a service contract is terminated. According to Cohen & Buckmann, service providers should not retain data longer than required by law. Data should either be destroyed or returned to the plan after a contract ends.

Another important aspect of a cyber policy is ensuring that the plan has adequate cybersecurity insurance coverage. Because claims can be raised under state law, standard ERISA fiduciary liability insurance may not fully cover fiduciaries and their service providers. ERISA bonding coverage also does not cover thefts of assets by criminal hackers. As a result, the law firm recommends that an expert review a plan’s current coverage to see whether additional insurance is needed as part of the plan sponsor’s cyber policy.

Overall, Cohen & Buckmann stated that fiduciaries do not need to be creating these policies alone, as few plan sponsors are able to so do without assistance. Corporate security personnel should also be involved in this process, regardless of whether they are involved in running the retirement plan or not.

“The bottom line is that fiduciaries may be personally liable for losses caused by their breaches of their fiduciary responsibility to mitigate cybersecurity risks,” the firm stated in the insight brief.

You Might Also Like:

Compliance

March 4th, 2025

Participant Data at Community Colleges, Public Schools Exposed in Breach at TPA

A third-party administrator of 403(b) and 457(b) plans experienced a cyber breach last month, exposing sensitive information of more than...

Compliance

February 24th, 2025

SEC Announces Unit to Protect Investors From Crypto, AI Scams

The Cyber and Emerging Technologies Unit will be led by Laura D’Allaird, who was co-chief of the predecessor Crypto Assets and Cyber Unit.

Compliance

February 19th, 2025

The Pension Specialists Breach Exposes Data of 71,000 Participants

The external system breach exposed participants’ names and Social Security numbers.

Client Service January 27, 2025

Holistic Planning is Key to Navigating Retirement Income Challenges

An Ameriprise Financial executive discusses how to navigate the shift from saving for retirement to managing distributions.

Reported by

Natalie Lin

As individuals approach the end of their working lives, the shift from saving for the future to managing funds during retirement presents unique challenges. Rohan Sharma, vice president of retirement income at Ameriprise Financial, emphasizes the importance of holistic planning for retirees and those nearing retirement in a recent conversation with PLANADVISER.

Sharma highlights a definitive change in financial goals during this transition. “This is a fundamental shift in your investment goals, in investor goals, in adviser goals, and it requires a fundamentally different approach,” he says.

For more stories like this, sign up for the PLANADVISERdash daily newsletter. 

One of the primary risks retirees face is sequence-of-return risk, or as Sharma refers to it, “the risk of retiring in a bad market.”

He explains, “If you happen to be doing all the right things, but suddenly the market tanks in the last few years, and you lose 20% of your nest egg for various reasons, h How do you manage that risk?”

To mitigate this risk, Sharma recommends focusing on asset allocation. “As you get closer to retirement, you generally would tend to—or you should consider—increasing fixed income exposure over equities,” he advises. This approach balances portfolios to reduce the impact of stock market declines.

Sharma also stresses the importance of bucketing strategies, where an individual’s funds are divided into short-term, mid-term, and long-term buckets to ensure that retirees can draw from their near-term bucket without further drawing down investments planned for use in later buckets during a downturn.

Another potential strategy, Sharma notes, involves annuities. While not suitable for everyone, annuities can provide capital preservation while still offering some interest or crediting rate during the waiting period, according to Sharma. However, he emphasizes that these strategies must be tailored to individual circumstances.

Social Security

Sharma also addresses broader considerations beyond an individual’s portfolio, such as Medicare decisions, Social Security claiming, and long-term care planning. These decisions, he says, are highly personal and often involve trade-offs.

“Social Security claiming decisions are, for the most part, irrevocable,” he says. “Once you’ve made a decision, you’re stuck with it, and it can cost you. If you don’t make the right decision, it can cost you hundreds of thousands of dollars over your lifetime.”

For those nearing retirement, Sharma introduces the concept of funded status, adapted from defined benefit plans. He explains, “Funded status means, do you have enough savings to last your lifetime? If you have more than you need, you are well-funded. If you have less than what you need, you are underfunded.”

Understanding one’s funded status, Sharma says, is critical in shaping strategies and managing risks. Those who are well-funded have more options and flexibility in managing key financial strategies, such as determining when to claim Social Security and handling Medicare or long-term care costs. In contrast, individuals who are underfunded face a much more challenging situation, with limited flexibility and greater difficulty navigating these crucial financial decisions.

Sharma concludes by emphasizing the value of professional financial advice during this stage of life. By considering all aspects of retirement, including investments, healthcare, housing, and lifestyle, advisers can help clients navigate this transition and ensure financial security for the years ahead.

“Financial advisers can always add value, but the biggest value comes at some of these life-changing events when a financial adviser can help you think through holistically,” Sharma says.