In October 2018, a woman from Danvers, Massachusetts, was unable to withdraw funds from her 401(k) account. Investigators later found out that a crime syndicate had conned her third-party fiduciary to transfer over $200,000 of retirement funds to their bank account. They had stolen her private information associated with 401(k) and hacked into her email address to complete the transaction.

The ubiquity of the Internet in our everyday lives has improved the quality of life all around. On the flip side, cyberattacks have become rampant; the FBI has reported a 300% increase in reported cybercrimes in 2020. The retirement plan industry is particularly vulnerable.

The retirement plan industry an attractive target

The Individual Retirement Accounts (IRAs) in the US account for over $11 trillion in retirement assets. Individuals registered under 401(k) have a stable income from an employer, and the average balance of the accounts is $106,478.

These accounts are treasure troves of sensitive personal data — such as personally identifiable information (PII), electronically protected health information (EPHI) and financial information — that are permanently linked to the individuals.

Much of this information is usually shared across multiple third parties, including plan administrators, auditors, trustees, insurers etc., making it more vulnerable to a breach. To say nothing of the benefit plan managers, who are not tech-savvy by profession.

Common cyber threats on retirement accounts

Phishing: Hackers send suspicious emails/links (often sounding urgent like “Changes to your 401(k) account”) seemingly from the individuals’ bank/fiduciary agency. They then lure the account holders into disclosing their login credentials and other sensitive information.

Malware attacks: Malware is a malicious software program triggered from a trusted yet compromised website. Hackers use these programs as trojan horses to enter the account holders’ systems and retrieve critical financial information. 

Ransomware attacks: Hackers attack critical servers and threaten to exploit them unless their favors are met. In St. Louis, a local grocery workers’ joint pension plan server was hacked, and the perpetrators demanded a ransom in digital currencies.

Building a robust cybersecurity strategy

The best way to begin working on a cybersecurity strategy is to assume that cyberattacks are imminent.

Having a reactive approach, especially when it comes to theft of data, is inefficient and expensive. In retirement planning, given that the data is processed across multiple layers of agencies and hierarchies, it is of utmost importance to have a well-laid-out disaster recovery strategy. 

What to consider while building a cybersecurity strategy?

The Department of Labour suggests that the cybersecurity strategy covers four distinct areas.

  1. Data management: Identify, categorize, control, and protect data.
  2. Technology management: Ensure that end-to-end applications and security software across all service providers are up to date.
  3. Service provider management: Audit and perform due diligence on data security structures of all service providers.
  4. People issues: Ensure that all the personnel involved across transactions are trained and are up to date with privacy policies.

Who should care about cybersecurity?

Each of these issues needs to be considered across the retirement planning industry landscape, which includes sponsors, fiduciary, record-keepers, etc. Each of them has a unique set of concerns to address.

Plan sponsors

Employers are often also plan sponsors, who process a 401(k) application for their employees to meet their long-term retirement goals. At their level, they need to:

  • Protect the confidentiality of personal data throughout its process lifecycle
  • Ensure that the websites handling plan information are secure
  • Have defined processes for addressing and fixing cybersecurity concerns
  • Hire a cybersecurity firm to perform audits from time-to-time, as needed

Plan Fiduciary

Fiduciaries are the party that has a legal obligation to act in the interest of the individuals availing the retirement plan benefits. They can be the employer, trustee, or investment advisors. They must: 

  • Clearly define ‘security breach’ and have a protocol for corrective measures, with specification about the remedies to be deployed
  • Document the process for responding to cybersecurity breaches and the measures taken
  • Understand the limitations of their business insurance coverage and include cyber insurance to address them


Firms that manage and keep track of data within the 401(k) plan are called recordkeepers. They work for the employees and responsible for: 

  • Proper enrolment and education of their customers
  • Ensuring that their applications and those of associated third-party administrators (TPAs) are thoroughly vetted with the right technology partners who can reverse engineer at components’ level and expose potential security flaws
  • Adhering to the standards and best practices defined by the Society of professional asset-managers and recordkeepers (SPARK) to “help record keepers communicate, to plan consultants, clients and prospects, the full capability of their cybersecurity systems

How to build a cybersecurity strategy?

The advisory council on employee welfare and pension benefits plan has created a structured approach to establish a cybersecurity strategy. Some of the key components are:

Step #1: Understanding the plan’s data

Every stakeholder in the retirement plan process much have a clear and thorough understanding of the data and the assets utilized, with detailed scope for data inventories.

Step #2: Create a robust and repeatable framework

Plan sponsors must take a strategic approach to their cybersecurity strategy, adopting established frameworks like the NIST. It primarily recommends the following process:

  • Identify: Understand the business context, resources to identify risks
  • Protect: Develop safeguards to limit the impact of a potential cybersecurity event
  • Detect: Build monitoring and detection systems to identify threats proactively
  • Respond: Develop a strategy to respond to cybersecurity events, if they occur
  • Recover: Plan for the restoration of services and resilience from long-term impairment

Step 3: Create a customized risk management strategy

While frameworks are standard, your organization needs a cybersecurity strategy that is uniquely functional for you. So, take ideas from the various recommendations and make it your own. Then, collaborate with your stakeholders and ensure they are all on board.

Do not forget to make it dynamic and adaptive. Cybersecurity threats evolve to be more and more sophisticated each day. So should your strategy.

Back to Blog Home