Archived Insight | February 1, 2019

Managing Cybersecurity Risk in DC Plans

In these publications from 2018 and 2019 we cover:

  • Potential Vulnerabilities for DC Plans
  • A Multifaceted Strategy for Managing DC Plan Data Security Risks
  • The ROI of Being Prepared to Protect Your Participants’ Data

Download the public sector version of this report.

Download the corporate version of this report.

Man looking at his phone and laptop

Questions about cybersecurity risk? We have answers.

Get in touch with one of our consultants and let's talk about how we can help.

Contact Us

Protecting participants’ data — and the plan — requires a multifaceted strategy.

Data breaches — improper disclosures of individuals’ private information — are, unfortunately, increasingly common.

Protecting defined contribution (DC) plan data is a high priority for plan sponsors — not only because participants expect it, but also because data breaches are expensive to manage and may undermine your participants’ confidence in their plan.

Thankfully, to date, few state and local government DC plans and recordkeepers have experienced data breaches perpetrated by cybercriminals.

Nevertheless DC plan sponsors should be increasingly vigilant, because the personally identifiable information (PII) they safeguard is a tempting target. PII includes Social Security numbers, birthdates, addresses (home and email), compensation information, DC account balances and bank account information.

For DC plans, business process failures are a more likely source of data breaches. Such failures can occur when plan sponsors exchange PII with the DC plan recordkeeper(s) and other DC plan service providers.

Each transmission of data between the DC plan sponsor and recordkeeper(s) or service providers creates risk.

In fact, while just over half of data breaches (52 percent) are the result of malicious or criminal attacks by hackers, the other 48 percent are related to negligence and system failures, according to the Ponemon Institute.

Data breaches associated with negligence may involve information included in misdirected emails, mishandled paper records or on lost devices, such as laptops, smartphones or removable drives.

Breaches related to system failures may result from information technology risk events, such as computer malfunctions.

They may also be attributable to failed business processes, including human errors that result in the accidental distribution of personal data via a mass email, in website postings or printed material.

A Multifaceted Strategy for Managing the Risk

DC plan sponsors share responsibility for data security with recordkeepers and all stakeholders. For that reason, all parties should play a role in managing cybersecurity risk.

Aspects of a multifaceted strategy for managing cybersecurity risk include:

  • Creating an Information Security Policy and an Incident-Response Plan (or Updating Existing Ones)
  • Minimizing Requests for and Use of PII
  • Training Staff Regularly
  • Assessing the IT Environment
  • Mandating Use of Encryption for Data-at-Rest and Data-in-Motion
  • Assessing Recordkeepers’ Technology
  • Reviewing Recordkeepers’ Security Procedures
  • Setting Up and Regularly Reviewing System Activity Logs
  • Maintaining Adequate Levels of Cyber Liability Protection

We cover each aspect in the report.

Download the public sector version of the report.

Download the corporate version of the report.

The ROI of being prepared to protect participants’ data.

The risk of inadvertent disclosure of personal information is real — and so are the potential savings associated with your data-protection efforts. According to the Ponemon Institute:

Having an incident response plan and team in place, extensive use of encryption, employee training, BCM (Business Continuity Management) involvement and extensive use of data loss prevention technologies all reduce the cost of data breach by more than $9 per compromised record. [That is a reduction of nearly 9 percent of the average cost of a data breach in the public sector.]

Not only will being prepared reduce the cost of the breach, it will enable you to:

  • Address and resolve the breach
  • Respond swiftly to participant and/or press inquiries
  • Help minimize the negative perceptions of the breach.

The bottom line is: investing in managing the risks associated with DC plan data security pays off in multiple ways. 

See more insights

2024 IT Summit

"Techsploring" the Possibilities: Adapting to an Evolving Benefit Fund Office Landscape

Join us at an important summit, full of timely and useful information to support your fund’s future administration needs and goals.
Businesspeople Brainstorming Ideas And Writing Notes On A Glass Wall In A Modern Office

Changing Pension Administration? Create a Realistic Schedule

Introducing a new pension administration solution (PAS) might take longer than you think. Get 5 tips for creating a realistic schedule.
Group Of Colleagues Having A Discussion In A Modern Office

5 Tips for Improving Your TPA’s Performance

Learn how to get the most out of your third-party administrator (TPA) and enhance your benefit program's efficiency.

This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.