Cybersecurity Risk for DC Plans
Steps Sponsors Can Take to Protect Participants’ Data — and the Plan
Although few public sector defined contribution (DC) plans have experienced data breaches, plan sponsors must be increasingly vigilant in protecting plan data as data security risk events become more common. Moreover, the personally identifiable information (PII) DC plans safeguard is a tempting target for cybercriminals.
For DC plans, business process failures are a more likely source of data breaches. Potential failures may occur as plan sponsors exchange PII with the DC plan recordkeeper(s) and other DC plan service providers. As with any exchange of information, each transmission of data between the DC plan sponsor and its service providers creates risk that may be mitigated through a set of controls.
To manage cybersecurity risk effectively, Segal Consulting and Segal Marco Advisors suggest following a strategy that includes these steps:
- Create an information security policy and an incident-response plan.
- Minimize requests for and use of PII.
- Train staff regularly.
- Assess the IT environment.
- Mandate use of encryption for data-at-rest and data-in-motion.
- Assess recordkeepers’ technology.
- Review recordkeepers’ security procedures.
- Set up and regularly review system activity logs.
- Maintain adequate levels of cyber liability protection.
Because DC plan sponsors share responsibility for data security with recordkeepers, Wendy Carter, Defined Contribution Director with Segal Consulting, recommends that plan sponsors “ask recordkeepers if they follow the AICPA’s System and Organization Controls for Cybersecurity and if they intend to follow the SPARK Institute’s newly created Cyber Security process.”
Julian Regan, senior vice president with Segal Marco Advisors, the investment solutions provider of The Segal Group, added, “implementing an effective framework for managing DC plan data security risks will strengthen the plan’s control environment and may further improve stakeholder confidence.”
To speak with a consultant about the managing cybersecurity risk in DC plans or other components of operational risk, please contact Erin Burns.
* * *
Segal Marco Advisors, a member of The Segal Group, provides trusted advice that improves lives. Segal Marco delivers innovative, client-driven investment consulting advice, outsourcing solutions, proxy voting and corporate governance services. Clients include joint boards of trustees administering benefit plans under the Taft-Hartley Act, state and local governments, corporations, non-profit organizations, endowments and foundations. The firm works with financial services firms through Rogerscasey, a Division of Segal Advisors, and with Canadian clients through Segal Rogerscasey Canada.