In response to an increased threat of retirement account fraud, nearly a third of recordkeepers expect to boost their cybersecurity staff going forward, a new report from Cerulli finds.
Even though plan providers have always been subject to cyberattacks, this is an issue that has become more acute in recent years, particularly during the remote work environment when many employees are working on less secure home networks and personal devices during the pandemic.
To help recordkeepers, plan administrators and other stakeholders, the Department of Labor in April 2021 issued a series of best practices for cybersecurity, underscoring the importance for those running the systems. And two months later, the DOL started asking plan administrators about their cybersecurity practices as part of their pension audits.
Yet, despite the heightened awareness of cyberthreats within the DC industry, recordkeepers rarely view cybersecurity capabilities as a competitive differentiator when it comes to winning new business, according to the report.
In contrast, nearly 8 out of 10 (79%) retirement specialist advisors indicate cybersecurity is a very important factor when selecting a recordkeeper. Yet fewer than two-thirds of small to mid-sized plan advisors have a formal written process for conducting due diligence on recordkeepers’ fraud prevention practices, Cerulli’s findings show.
“A plan sponsor may have selected a recordkeeper because it was the lowest cost option, but once they experience a data breach their perspective is going to change—the most important question becomes, ‘What’s your cybersecurity program like?’” one recordkeeper observes in the report.
Moreover, there have been a few class action lawsuits in recent years filed by plan participants alleging that plan fiduciaries failed to adequately evaluate and monitor the cybersecurity practices of the recordkeepers they hire. And some of these lawsuits targeted recordkeepers for failing to adequately safeguard participant information, the report notes.
“Recordkeepers don’t always think of themselves as fiduciaries, but even in the cases where they are not the fiduciary, the courts could hold recordkeepers responsible for securing the data,” an ERISA attorney notes in the report. “In many cases, it will likely be viewed as a shared responsibility between the recordkeeper and plan sponsor, since the plan sponsor is responsible for overseeing the vendors they select.”
What’s more, even though several recordkeepers offer guaranteed reimbursements for participants who experience a data breach or they purchase cybersecurity insurance to help cover costs associated with a cyberattack, the associated costs may extend beyond the immediate financial losses to include reputational damage and loss of plan sponsor clients.
Cerulli suggests that for recordkeepers acting in a non-fiduciary capacity, the prudent approach is to operate under the assumption that they are indeed responsible for safeguarding participant data, regardless of whether the recordkeeper assumes 3(16) fiduciary status.
Plan fiduciaries without the in-house expertise to properly evaluate recordkeepers’ cybersecurity programs and practices should seek to leverage their plan sponsor’s IT specialists or consider working with a third party to help them through this component of the RFP process. “It is important for recordkeepers and plan fiduciaries to acknowledge that an effective cybersecurity program should be more than just an IT initiative,” says Shawn O’Brien, senior analyst at Cerulli. “Rather, effective cybersecurity practices should permeate every aspect of a provider’s business, including its customer engagements, account management, website development, and data transmission and warehousing.”
Implementing new technologies, such as biometric log-in credentials like thumbprints or facial recognition, is one part of building an effective cybersecurity practice. To prove effective, Cerulli suggests that providers will need to play an active role in encouraging participants to adopt these technologies and enhance the security of their accounts and personal information on their own. Moreover, recordkeepers should look to evaluate the cybersecurity practices of the service providers with whom they exchange or share participant data.
“Ultimately, the greater the number of parties sharing participant data for a given plan, the more complicated securing that data comes,” O’Brien adds. “Implementing the proper procedures, controls, and software, as well as evaluating the security of shared service providers, are crucial to retaining clients and mitigating reputational damage.”