Cyber Security Awareness Month

Protecting Retirement Plan Participants from a Growing Threat

October is Cyber Security Awareness Month—a timely reminder for employers and plan sponsors to take stock of how well their retirement plans are safeguarded against online threats. Cybersecurity may not be the first issue that comes to mind when thinking about a 401(k) plan, but in today’s digital world, it should be at least among the considerations a plan sponsor pays attention to…and not be ignored.

Why Retirement Plans Are Prime Targets

Every piece of our lives now lives online, and retirement plans are no exception. Recordkeeping providers maintain vast amounts of sensitive participant data: Social Security numbers, dates of birth, addresses, payroll information, and beneficiary designations. More importantly, they also serve as custodians of participants’ retirement savings.

In many cases, a 401(k) is an employee’s only retirement account—and almost always their largest. If that account is breached, the financial and emotional consequences could be devastating. Think of your recordkeeper as not only storing personal data but also holding assets much like a bank. The difference is that many employees don’t think of their retirement plan as a vulnerable target, making them less vigilant than they might be with a checking account.

Unfortunately, cyberattacks are on the rise across the financial sector, and 401(k) plans are an obvious target. Recordkeepers hold assets in the trillions in aggregate. The incentives for bad actors couldn’t be higher.

Department of Labor Guidance

Recognizing the risks, the Department of Labor (DOL) issued guidance urging plan fiduciaries to evaluate their recordkeeping providers’ cybersecurity policies and procedures. Specifically, fiduciaries are expected to:

• Assess preventive measures. What proactive safeguards and authentication processes are in place to reduce the risk of breaches?
• ‍Evaluate incident response protocols. If a breach occurs, what steps will be taken to contain the damage and notify impacted participants?
• ‍Understand participant protections. Will participants be “made whole” if assets or data are compromised? What insurance or guarantees are in place, and what stipulations or qualifications apply?

Documenting these evaluations not only checks the fiduciary compliance box—it also provides peace of mind that participant information and assets are being guarded responsibly.

The Fiduciary Responsibility

Ultimately, plan sponsors bear responsibility for ensuring their recordkeeper is up to standard. But this is not a task most employers are equipped to handle alone. That’s where working with a retirement plan consultant adds significant value.

At LoVasco, we work directly with recordkeeping providers to gather their documented cybersecurity policies and procedures. We then guide plan sponsors through the review process, helping them understand both the strengths and any limitations in those protections.

Once reviewed, the findings are summarized—often in the form of meeting minutes—and stored in the plan’s fiduciary file. This documentation becomes crucial if the DOL ever audits the plan. Being able to show not only that the review was completed but also that any shortcomings were addressed protects both the plan sponsor and the plan participants.

Key Questions for Plan Sponsors to Ask

When reviewing your recordkeeper’s cybersecurity measures, focus on both prevention and remediation. Among the most important questions to ask are:

• What authentication requirements are in place (e.g., two-factor authentication, or 2FA)?
• How is participant data stored and encrypted?
• What types of cyber insurance or guarantees are provided to participants in the event of a breach?
• What stipulations must be met for those guarantees to apply (such as reporting requirements or participant authentication steps)?

By understanding these details, sponsors can better evaluate whether their recordkeeper is adequately protecting participants.

How Often Should Reviews Be Conducted?

Cybersecurity reviews are not an every-quarter or even an every-year exercise. However, they should be conducted regularly—at least every few years. The goal is to strike a balance: keeping the fiduciary file up to date without overburdening plan committees or staff with unnecessary administrative work.

LoVasco streamlines this process by conducting reviews at the provider level. For example, if multiple clients use the same recordkeeping provider, we gather and review that provider’s policies once, then apply those findings across all relevant clients. This efficiency reduces redundancy while still ensuring each sponsor is covered.

Why It Matters Now

Cyber Security Awareness Month provides a built-in reminder to revisit these issues. Just as individuals are encouraged to change their passwords or update software, plan sponsors should take this opportunity to check their fiduciary files:

• Have you ever conducted a cybersecurity review of your recordkeeping provider?
• If so, when was the last time?

If the answer is “never” or “several years ago,” it’s time to reconnect with your retirement plan consultant.

Some consultants may leave this responsibility entirely to the plan sponsor. At LoVasco, we see it differently. Our culture of extreme ownership means we go the extra mile to facilitate these reviews, interpret findings, and ensure they are properly documented.

For us, it’s not just about compliance—it’s about protecting the employees who count on these savings for their future. By helping plan sponsors fulfill this duty, we strengthen both the fiduciary standing of the plan and the trust participants place in it.

Let the Calendar Be Your Reminder

Cybersecurity in the retirement plan space may not make headlines as often as stock market volatility or regulatory updates, but it is every bit as critical. With billions of dollars and sensitive participant data at stake, overlooking this responsibility could have dire consequences.

October is the perfect time to act. Use Cyber Security Awareness Month as a catalyst to review your recordkeeper’s protections, document your findings, and give your employees confidence that their future is secure.