In an era where technological advancements are rapidly transforming, the protection of participants data in your retirement plan is an increasing concern. The urgency of implementing robust data security measures has been underscored by recent events, such as the MOVEit data breach.
In late May, Progress Software Corporation’s MOVEit file transfer software was breached, impacting over 40 million individuals and at least 1,000 organizations. The data breach affected all types of entities, including companies that maintained personal information for retirement plans. As the software was used by organizations to securely transfer sensitive files, the breach exposed personal information such as social security numbers, mailing addresses and dates of birth. The Russian ransomware group Cl0p claimed responsibility for the breach.
In response to the widespread cyber incident, legal actions are rapidly proliferating. Progress Software Corp is facing dozens of class action lawsuits across various federal courts in the United States. The fallout from this cyber incident underscores the urgent need for heightened cybersecurity measures across industries, particularly within sectors dealing with sensitive personal and financial information. In 2021, the DOL issued cybersecurity guidance for plan sponsors, fiduciaries, record keepers and plan participants. This guidance includes tips for hiring a service provider, cybersecurity program best practices and online security tips. These guidelines can help strengthen your organization’s practices in preventing and detecting a potential threat.
Key Lessons from the MOVEit Incident
The MOVEit data breach exposed critical vulnerabilities that organizations must consider fortifying their systems against similar threats. Incorporating key lessons learned from this incident, the following aspects should be considered when establishing and enhancing data security programs:
1.) Incident Response Readiness:
The MOVEit breach emphasized the importance of having a robust incident response plan in place. Plan sponsors should ensure that they have clear protocols for detecting, responding to, and mitigating the impact of security incidents.
2.) Continuous Monitoring and Analysis:
The incident highlighted the need for continuous monitoring and analysis of network activities.
3.) Enhanced Authentication Measures:
The MOVEit breach underscored the significance of implementing enhanced authentication measures. Multi-factor authentication and strong access controls should be integrated to prevent unauthorized access to retirement plan data.
4.) Regular Security Audits:
The aftermath of the MOVEit incident emphasized the importance of regular security audits.
5.) Collaboration with Service Providers:
The incident highlighted the interconnected nature of retirement plan systems and the role of third-party service providers. Ensuring your third-party service providers have security policies in place and undergo their own security audits and risk assessments is important to protecting your participants personal data.
Implementing Comprehensive Data Security Measures
To safeguard retirement plan data effectively, plan sponsors should consider a holistic approach that encompasses the following components:
1.) Frontline Cyber and Fraud Protection:
Implementing cyber and fraud protection measures is critical for preventing unauthorized access and malicious attacks before they can compromise sensitive retirement plan data. In addition, plan sponsors should conduct cybersecurity awareness training so that your employees are able to identify possible threats or suspicious activity and know how to report them.
2.) Authentication and Authorization Controls:
Enhanced authentication and authorization controls, including multi-factor authentication, should be employed to restrict access to only to authorized personnel.
3.) Continuous Monitoring and Analysis:
Plan sponsors should regularly monitor its network activity as well as conduct a risk assessment of its security program and policies. This can identify areas of higher risk for a potential security breach.
4.) Incident Response Planning:
Establishing clear incident response plans ensures that organizations can respond swiftly and effectively in the event of a security breach, minimizing the impact on retirement plan data.
5.) Regular Security Audits:
Retirement plan sponsors should conduct an audit of their security controls by a third party and implement any necessary improvements.
The MOVEit data breach serves as a reminder for plan sponsors, to reevaluate and if needed, strengthen their data security measures. By incorporating the key lessons learned from this incident and adopting a comprehensive approach to data security, your organization can improve safeguards against evolving cyber threats, ensuring the continued safety and privacy of sensitive data.
Tania Quigley, CPA
Partner
Tania Quigley has been a member of Cerini & Associates’ audit and consulting practice area since 2005 where she focuses on serving the firms nonprofit and employee benefit plan clientele. Tania has experience in performing financial statement audits and reviews, tax return preparation, cost report preparation and filing, retirement plan audits, and other consulting. Tania brings her expertise, diversified background, and helpful approach to all of her engagements.