Defined contribution plans and their partners share many important pieces of personally identifiable information (PII). Therefore, plan administrators should implement measures to protect PII and their participants from cyberattacks wherever possible.
Types of PII that are shared in normal, day-to-day plan activity can include:
- Name
- Date of birth
- Social Security number (SSN)
- Address
- Email address
- Bank account information
- Account balance
- Compensation data
Plans using paper forms for enrollment, account statements or other reasons – particularly when SSNs are used – present additional risks to participant accounts because much of the above information is presented together, with few to no security controls.
Both the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) have adopted a series of requirements for financial institutions servicing defined contribution plans. Financial service providers are required to develop and implement various security and confidentiality procedures and tools designed to detect fraud and theft. These requirements generally apply to a plan’s consultants, investment advisors and service providers.
What can be done to improve security and minimize risk of fraud to participant accounts?
There are two initial steps a plan sponsor can take to help reduce risk of cyberattacks. First, encourage all participants to set up an online account. Without an online account, the participant’s vulnerability to fraud is greatly increased, because it allows hackers to set up new online accounts and gain access to a participant’s funds. Second, plan sponsors can request a copy of a provider’s Report on Controls SOC-II, an audit report describing an organization’s internal controls and attesting to their strength.
The National Association of Government Defined Contribution Administrators (NAGDCA) published a brief on cybersecurity, read it here:
https://www.nagdca.org/Portals/45/Publications/Issues/NAGDCA_CyberSecurity_June2017_Final.pdf