Cybersecurity Risk for DC Plans

Cybersecurity Risk for DC Plans

Steps Sponsors Can Take to Protect Participants’ Data — and the Plan

Although few public sector defined contribution (DC) plans have experienced data breaches, plan sponsors must be increasingly vigilant in protecting plan data as data security risk events become more common. Moreover, the personally identifiable information (PII) DC plans safeguard is a tempting target for cybercriminals.

For DC plans, business process failures are a more likely source of data breaches. Potential failures may occur as plan sponsors exchange PII with the DC plan recordkeeper(s) and other DC plan service providers. As with any exchange of information, each transmission of data between the DC plan sponsor and its service providers creates risk that may be mitigated through a set of controls.

To manage cybersecurity risk effectively, Segal Consulting and Segal Marco Advisors suggest following a strategy that includes these steps:

  • Create an information security policy and an incident-response plan.
  • Minimize requests for and use of PII.
  • Train staff regularly.
  • Assess the IT environment.
  • Mandate use of encryption for data-at-rest and data-in-motion.
  • Assess recordkeepers’ technology.
  • Review recordkeepers’ security procedures.
  • Set up and regularly review system activity logs.
  • Maintain adequate levels of cyber liability protection.

Because DC plan sponsors share responsibility for data security with recordkeepers, Wendy Carter, Defined Contribution Director with Segal Consulting, recommends that plan sponsors “ask recordkeepers if they follow the AICPA’s System and Organization Controls for Cybersecurity and if they intend to follow the SPARK Institute’s newly created Cyber Security process.”

Julian Regan, senior vice president with Segal Marco Advisors, the investment solutions provider of The Segal Group, added, “implementing an effective framework for managing DC plan data security risks will strengthen the plan’s control environment and may further improve stakeholder confidence.”

To speak with a consultant about the managing cybersecurity risk in DC plans or other components of operational risk, please contact Erin Burns.

*      *     *

The Segal Group ( is a privately owned benefits, compensation and investment-consulting firm with more than 1,000 employees throughout the U.S. and Canada. Members of The Segal Group include: Segal Consulting, Sibson Consulting, Segal Select Insurance Services, Inc. and Segal Marco Advisors.