Americans currently hold an estimated $7.4 trillion in assets in more than 700,000 401(k) and other types of retirement plans, according to the Investment Company Institute. Those assets and the personally identifiable information (PII) tied to them make plans a prime target for cybercriminals. Yet until recently, there’s been little guidance regarding protecting the retirement assets of America’s workers.    

That all changed in 2021 when the U.S. Department of Labor (DOL) released its first-ever cybersecurity guidance for plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act (ERISA). The DOL guidance states that plan fiduciaries have an obligation to ensure proper mitigation of 401(k) cybersecurity risks and outlines their responsibilities to protect ERISA-covered benefit plan data.   

Addressing 401(k) cybersecurity risks  

Fifteen to twenty years ago, IT systems were mainly on-premises. At the time, a single environment, such as a massive data center, confined data. That made it more difficult for bad actors to slip through the cracks.   

However, today’s IT systems are often cloud-based and can involve an infinite number of third parties. With so many interdependent trust relationships at play, it doesn’t take much for a single point of failure to wreak havoc on an entire system.   

The broader financial services sector experienced this impact in 2023. A failure to provide adequate patching for a Citrix server jeopardized a credit union’s virtual desktop environment. The cascading effect forced 60 to 70 credit unions offline and compromised an undisclosed amount of PII. 

401(k) cybersecurity best practices for providers  

The DOL’s guidance reflects two significant shifts in the IT environment – the evolving technology landscape and the growing sophistication of threat actors. Let’s take a closer look at the DOL guidance and the best practices the agency suggests.   

The guidance states that plans’ service providers should:   

1. Have a formal, well-documented cybersecurity program.  
2. Conduct prudent annual risk assessments.  
3. Have a reliable annual third-party audit of security controls.   
4. Clearly define and assign information security roles and responsibilities.   
5. Have strong access control procedures.   
6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.   
7. Conduct periodic cybersecurity awareness training.   
8. Implement and manage a secure system development life cycle (SDLC) program.   
9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.   
10. Encrypt sensitive data, stored and in transit.   
11. Implement strong technical controls in accordance with best security practices.   
12. Appropriately respond to any past cybersecurity incidents. 

What should plan fiduciaries be thinking about and doing in response?

The DOL’s guidance reminds plan sponsors, fiduciaries, record keepers and participants to continuously evaluate their cybersecurity programs, protocols and best practices. Many 401(k) plan service providers form committees that meet regularly to assess various aspects of the business. This provides a chance to evaluate your overall cybersecurity posture and ensure you are comfortable with your plan and current level of risk.   

But it’s not only about your own organization. The DOL guidelines also extend to third parties. That means plan fiduciaries need to make prudent decisions about service providers and the third parties they work with. Adopting strong cybersecurity practices and oversight of third-party providers can help reduce an organization’s exposure to cybersecurity events. Requiring evidence of adequate due diligence from service providers is crucial for vetting their security practices and interdependencies.  

It’s up to you to ensure it’s not just about checking a box. Third parties should be able to provide attestation via penetration testing or an independent audit. Doing some extra digging to ensure the organizations you work with have robust security programs can pay off in the long run.   

Why BPM for 401(k) cybersecurity? 

There is no silver bullet when it comes to protecting 401(k) and other retirement assets from cyber threat actors, but the importance of doing so cannot be understated. Without sufficient protection, participants and assets may be at risk from both internal and external cybersecurity threats.   

Should a breach occur, an organization faces not only the potential for monetary loss but also loss of PII, reputational risk and potential litigation. Ensuring you adequately protect plan-related IT systems and data is about embracing a cybersecurity culture. It’s also about developing a security program that’s built into your organization’s core. We can help.  

BPM is more than an accounting firm. We are a security-focused professional services organization with the depth and breadth of experience to help you develop a robust and well-documented cybersecurity program that covers all 12 of the DOL’s best practices recommendations.

Our team of seasoned professionals has extensive knowledge of 401(k) and other retirement plans. With significant experience in the financial services industry, we can help guide you through the types of threats you’re most likely to encounter and how to prepare for them. To find out more about how we can assist you in better understanding the DOL guidance and your associated fiduciary responsibility, contact us.