6 Steps You Have to Take to Protect Your Plan

Since the days of the Pony Express, financial services businesses have faced elevated risk. The only difference today? The train robbers have been replaced by cyber criminals. In this new Wild West of digital finance, it’s important for plan fiduciaries to be ready.

With October being National Cybersecurity Awareness Month, now is the perfect time for some cyber housekeeping. Here are 6 steps to take to protect your plan in today’s market.

How a Hack Can Impact a Plan

It’s an awful feeling when a client contacts their fiduciary about a fraudulent financial transaction. Often, the hack involves an unauthorized distribution request. Using social engineering, a cyber criminal will first trick a plan participant into revealing private information, then use that information to access the victim’s financial accounts.

The best cyber attackers are experts at their craft. They can easily impersonate a plan participant on the phone and know how to alter account notification settings to delay a fraud victim from realizing their money is gone. Once the cyber thief has a participant’s money in hand, they are capable of executing complex financial actions to move the money out of the country and make it nearly impossible to retrieve.

A participant is certain to ask for their money back after a theft is discovered. But for a plan administrator, recordkeeper or sponsor, that is no small ask — the sum in question is almost always six figures. With the parties at an impasse, the situation can escalate to lawsuits, insurance claims and even complaints being filed with regulators.

6 Steps Fiduciaries Can Take

Minimizing the risk of cyber exposures is possible, if you take the right actions. The Department of Labor offers guidance on addressing the problem. Cyber safety starts with awareness and training on best practices, including taking these key steps:

1. Implement Identity Verification

Identity verification is a must to protect your plan and your participants. Implement an internal process that allows you to verify the identity of participants and authenticate all distribution requests. Fiduciaries have an array of options. It’s possible to simply call participants at a confirmed phone number to verify requests. Two-factor authentication is another popular technical solution. High-tech voice recognition capabilities are also a possibility for significantly cutting down on fraudulent transactions.

2. Ensure Participant Notification

Notifying participants of account activity is another important protection today’s plans must have. Notification alerts for account changes or distribution requests should ideally be instant and automatic, and sent through multiple channels, such as email, text and an automated phone call. The ability to receive multi-channel notifications right away gives plan participants more chances to notice when something is wrong so that they can alert their plan fiduciary.

3. Automate Account Monitoring

The ability to automatically monitor accounts for suspicious activity is an important protection in the digital world. Numerous purpose-built tools exist that can be implemented to protect plans. Automated account monitoring makes it harder for fraudsters to drain a participant account, flagging unfamiliar logins as well as account changes made shortly before a distribution request as requiring additional verification and authentication.

4. Develop a Restoration Policy

Written policies are an easy way to help an organization control for the risk of potential future incidents. With a restoration policy, you will be better able to manage the risk of unauthorized disbursements by proactively addressing the most important questions. A policy lets you stipulate in writing which of the plan’s fiduciaries has a responsibility to make participants whole, as well as the circumstances and requirements that must be met for these protections to apply.

5. Foster Participant Engagement

Participants who are actively engaged in the safety of their own accounts are less likely to become the victim of a cyber theft. Developing a plan to engage plan participants can help protect plan assets. Ways that participants can be engaged include requiring an initial, complete account setup, opting in for real-time alerts, providing education about phishing and fraud threats and requiring regular account reviews.

6. Obtain Insurance Protection

Lastly, even though plan fiduciaries may do everything right and take all possible precautionary measures, it’s wise to ensure you carry the right insurance. Sooner or later, a fraudulent instruction request may slip through the cracks and lead to a loss for a participant and a lawsuit for the fiduciary. Fiduciaries can obtain special cyber liability insurance coverage to protect against the risk. A policy that specifically covers fraudulent instruction requests and losses to a participant’s account is a must, as is checking for any coverage sublimits and policy restrictions that may limit protection.


Lockton Affinity Advisor offers Cyber Liability insurance coverage tailored to meet the needs of plan professionals. To learn more, visit LocktonAffinityAdvisor.com or call (844) 406-5958.