The three layers of retirement plan cybersecurity: a primer for fiduciaries

A retirement plan sponsor’s ERISA duties include protecting participants’ personal information and account balances. This includes evaluating your service providers’ cybersecurity systems in your due diligence. Make sure you understand the technology and processes involved so you can protect your organization’s retirement plan and participant accounts from cybercrime.

Personally identifiable information (PII)—a combination of a person’s public information (e.g., name and address) with their nonpublic information (e.g., Social Security number, financial information)—is a valuable commodity. Using stolen data, a savvy cyber thief can drain bank accounts, run up credit card charges, steal confidential information, and access retirement funds.

Retirement plan databases are full of PII, making them irresistible to cybercriminals. And retirement plan assets total roughly $6.4 trillion1—enhancing their appeal as a potential target for cybercrime. Learning about the three layers of retirement plan cybersecurity can help you do your due diligence and evaluate your service provider’s ability to protect your employees’ accounts and data.

Cybersecurity layer #1—the front end

The best place to stop a thief is outside your house. Front-end security helps ensure that only invited guests—participants—are allowed through your plan’s access points. Front-end security points include:

  • Website and smartphone apps,
  • An automated call center line and live customer service, and
  • Forms.

Your service provider should have protocols to ensure that only authorized personnel can access accounts, such as multifactor authentication and multistep verification, for loan or withdrawal transactions. Those protocols should also include the authorized personnel themselves, which means they need to understand the risk and mitigation measures. Your participant education should include cybersecurity best practices—such as keeping their electronic contact information current and changing account passwords as recommended.    

Cybersecurity layer #2—the infrastructure 

Infrastructure is where information—including participant data and service provider recordkeeping software—lives. Although many companies still maintain their infrastructure in-house, some are moving to outsourced, cloud-based services. Whether your service provider outsources or not, you’re responsible, as a fiduciary, for asking them about:

Physical site security—how do they deter physical break ins?

Data integrity—how do they prevent unauthorized remote access?

Platform resilience—how do they keep data safe during natural disasters and accidents?

Your service provider’s infrastructure security policy should clearly address each of these areas, and you should document that you inquired about them and assessed their appropriateness. 

Cybersecurity layer #3—operational safeguards

Operational safeguards represent the processes and policies a service provider employs to protect their systems and data. Ask your service provider about their operational safeguards:

  • Is there an external intrusion detection system that’s monitored continuously, to stop threats early?
  • Are local area networks part of a corporate-wide area network with multiple blocks (firewalls) that separate internal and external systems?
  • Are all networks subject to external and internal audits annually?
  • How often do they perform penetration testing on critical websites?
  • Do they use any operational procedures to mitigate the risk of potentially targeted transactions, such as cooling periods for withdrawals?  

Retirement plan cybersecurity due diligence protects your participants and your business

Organized cybercriminals are behind most data breaches.An organized approach to thwarting retirement plan cybercrime can help you fulfill your fiduciary duty. So, make sure that you're satisfied with your service provider's approach to these three layers of cybersecurity—front-end security, infrastructure security, and operational safeguards—and that you document your cybersecurity due diligence.

“100 Must-Know Statistics About 401(k) Plans,” Morningstar, Inc.,, September 2020. “2020 Data Breach Investigations Report,” Verizon, 2020 Data Breach Investigations Report: Official | Verizon Enterprise Solutions, 2021.

The content of this document is for general information only and is believed to be accurate and reliable as of the posting date, but may be subject to change. It is not intended to provide investment, tax, plan design, or legal advice (unless otherwise indicated). Please consult your own independent advisor as to any investment, tax, or legal statements made herein


MGTS-P442233-GE 02/21 44233

Thomas Shola

Thomas Shola, 

Assistant Vice President, IT Cybersecurity Officer

John Hancock Retirement

Read bio