Tom Kret

By: Tom Kret, retirement plan consultant and Andrew Burish, managing director at The Burish Group at UBS

There’s a good chance you have received a suspicious-looking email before. An email that might say you’ve won a prize, asks you for personal information, or an alert that someone you know needs financial help. If you’ve encountered more than one of these, you probably recognize these scams.

Have you ever had a message that looked like it was from a known person or source, such as a family member? Or a financial advisor? How about correspondence from your 401(k)-service provider or sponsor of your retirement plan?

Retirement plans are major targets for cyber hackers, especially considering the $28 trillion held by these plans in the United States.[i] Today’s cyber criminals are often sponsored with significant resources and are continually stepping up their game when targeting organizations managing significant amounts of assets and personal data—such as retirement plans and the entities that service them.

Andy Burish

The responsibility of protecting stakeholders’ data falls on more than information technology departments. 401(k) plan fiduciary responsibilities include “acting solely in the interest of plan participants”.[ii] Helping to protect the personally identifiable information online is part of that duty.

What’s at stake?

The plan sponsor has a fiduciary responsibility to ensure all information is kept safe. The information in plan benefits contains personally identifiable information which can include: name, date of birth, social security number, home address, salary, password and general payroll information.

What can plan sponsors do?

Given the high level of sophistication from criminals, cybersecurity threats are becoming more complex. The first crucial step to mitigate these risks is asking the right questions of your service provider(s). Below are a few sample questions to begin a dialogue with the organizations servicing your retirement plan(s):

  • Do you have a comprehensive cybersecurity protocol in place?
  • How is retirement plan information and data protected and maintained on your system?
  • How do you secure data while in transit?
  • Do you have a protocol in place to notify plan sponsors in the event of a breach?
  • Are there safeguards in place that are part of your contractual agreement with the third-party subcontractors and other service providers?
  • When hiring new personnel, do you perform comprehensive background and screening checks?
  • Do you conduct cyber training of your employees?

As stated, retirement plans are major targets for cyber hackers and it’s vitally important for plan sponsors to pose questions like these of their service providers. There is no perfect solution to eliminating cyber-attacks completely but implementing a prudent process can help to better protect plan assets and reduce liability.

For more information about cybersecurity and retirement plans, contact Tom Kret at 847-277-2123 or

Tune into a WebX  for an informative discussion of this important topic on August 1, at 10 am CST.  Simply click on the attachment to add the WebX to your calendar.