Retirement accounts are an integral part of most workers’ plans for the future. Hard-earned funds are deposited into these accounts over the course of decades with the promise they’ll be there at retirement to ensure the maintenance of a comfortable lifestyle. Cybersecurity threats pose a tremendous risk to plan sponsors and participants alike. Here’s how to protect your workers’ assets and limit your company’s liability.
Protecting Online Accounts
As a plan sponsor, you have the power to educate plan participants and help them to make safer choices. Participants should document their user names and passwords, along with other pertinent account information, and store it in a safe place. They should not share this data with anyone else. If they are comfortable doing so, however, they may wish to tell a family member or the executor of their estate where this information is located, in the event of an emergency.
Passwords should be changed at least quarterly for all online accounts. Plan participants should never use the same password or security questions for their retirement account that they do for other accounts like email or social media..
It’s imperative that plan participants take these important steps to safeguard their own information. They should also log in to their plan accounts regularly and check for any suspicious activity.
Cyber breaches take many forms. Across the industry, it is not uncommon to hear of fraudulent participant forms being submitted by fraudsters in an attempt to swindle someone out of their retirement savings. Not only is this terrifying when someone’s life savings is at stake, it is largely preventable if proper cybersecurity measure are put in place.
Be careful of links in emails that you or your participants receive. If you or your employees ever have questions about whether an email from DirectAdvisors is legitimate, please contact us for help.
Secure Document Storage
Both plan participants and plan sponsors should engage in secure document storage practices to safeguard sensitive data. Plan participants should be encouraged to shred any retirement account documents before throwing them away. Ideally, they should not recycle plan documents, even once shredded.
If participants have a safe or lockbox available at home, this is a good place to store plan login information and account numbers. Important plan paperwork should be kept in a fireproof and waterproof container.
Plan sponsors should follow the same procedures when it comes to basic document storage. However, they must take security protocol several steps further. If a safe or locked room is used to house plan documents at your place of business, limit the number of employees who have access.
Your company likely already has a disaster preparedness strategy in place, so adding retirement plan document security to this list is a smart move. Unfortunately, failure to do so could render you liable for losses that occur if there is a cybersecurity breach. Documenting your plan and following it can help you prove you did all you could, in the event the worst occurs.
Participant Request Procedures
Over the course of time, plan participants will take distributions from their retirement accounts and make other changes, such as to their beneficiaries, and allocations. As the plan sponsor, you need to have well-documented procedures in place for how these changes can be made. You also need to be sure that you are reviewing any participant forms for accuracy and ensuring that they were submitted by the actual participant. Many plan sponsors choose to only accept original, hardcopy forms, and they may request to call or speak with the participant before providing authorization.
Once you’ve outlined secure procedures that protect you and your employees, stick with them. Do not allow deviations from these policies, even when it seems inconvenient for your HR department or the plan participant to be stringent.
Critical IT Protections
In many instances, cyber attacks have been documented when a third party is involved. For instance, a 2012 breach on a service provider’s computer exposed Federal Thrift Savings Plan’s participant data. In 2008, Investors Financial Services Corp., since acquired by State Street, experienced a breach when computer equipment containing employee data was stolen from a third-party service provider.
There have been countless similar examples that could have been prevented if sensitive data were more closely monitored and safeguarded. Thoroughly vet all third parties and vendors who will have access to retirement plan data. In addition, ask your IT department or vendor (once they have been vetted themselves) to help you implement proper network and data storage protections.
Keeping Retirement Accounts Secure
Ultimately, keeping your participants’ retirement accounts safe is a joint effort between plan providers, sponsors, and participants. If you have questions about what you or your employees should be doing to ensure a secure retirement, contact DirectAdvisors today.