Add funds
Fund 1
Fund 2
Fund 3
Fund 4
The Morningstar Fund Compare tool quickly evaluates different funds against one another. In addition to Nuveen funds, add any MF, CEF or ETF available from Morningstar. Important information and disclosures are included after you click Generate Report. Please ensure to enable pop-ups in your browser.
The Morningstar Portfolio Review tool compares and analyzes your portfolio holdings. In addition to Nuveen funds, add any MF, CEF or ETF available from Morningstar. Important information and disclosures are included after you click Generate Report. Please ensure to enable pop-ups in your browser.
Tools are currently unavailable for use on mobile. Please visit the desktop site.
fund compare tool image
Fund Compare
Quickly evaluate different MFs, CEFs and ETFs against one another
portfolio review tool image
Portfolio Review
Generate a detailed analysis of your portfolio holdings including MFs, CEFs and ETFs
plan profit calculator image
Plan Profit (k)alculator
A plan profitability analysis may reveal a more accurate business financial picture
Image of Municipal bond investing ladder tool
Municipal Bond Ladder Tool
Learn how a laddered portfolio may perform in rising rate environments
Powered by Morning star
Which type of investor are you?
Crowds of people on escalators and stairs

next issue no. 4:
On the horizon

Cybersecurity in retirement plans: protecting participants

We have all seen the endless stream of headlines about identify theft, data breaches and cyberattacks. These cybercrimes now represent the fastest-growing type of crime in the United States.12 And not only are incidents of cybercriminal activity on the rise, the cyberthreat landscape is continuously evolving to include additional types of attack methods and vulnerable devices. In response, individuals and organizations are taking steps to protect their electronic assets from cyberthreats by ramping up cybersecurity measures, and retirement plans are no exception.

Retirement plans in the crosshairs

With so many security breaches in the news, many plan sponsors may be wondering whether their retirement plans are vulnerable to an attack. Indeed, with close to $6 trillion held in 401(k) plans, these plans have become an enticing target for cyber criminals.13 Not only do these plans hold large amounts of money, but they also collect personal information from plan participants, such as names, addresses, birth dates and Social Security numbers. Such data is highly valued by cybercriminals because the majority of it is permanently attached to the individual and can’t be easily changed.

Protecting the plan

While the information included in retirement plans is protected under numerous laws and regulations, there is currently no comprehensive federal law that governs cybersecurity in 401(k) plans.14 But the cybersecurity threat is so pervasive that lawmakers have asked the Government Accountability Office (GAO) to examine the cybersecurity of the U.S. retirement system. In a letter to the GAO, Senator Patty Murray and Congressman Bobby Scott identified several key questions, including current cybersecurity protections that are in place for retirement plans and what can be done about it in the future. Although the GAO has yet to respond, other industry groups have taken steps to address the issue. The ERISA Advisory Council has published considerations for cybersecurity in benefits plans and has also asked the Department of Labor (DOL) to issue guidance. The Society of Professional Asset-Managers and Record Keepers (SPARK) Institute has also created industry best practices for keeping data secure.

Types of cyberthreats:

Plan sponsors should familiarize themselves with some of the more common types of cyberattacks that have been used consistently in recent years.

Protecting participants: tips for plan sponsors

Under ERISA, plan fiduciaries, including plan sponsors, have the broad duty “to act solely in the interest of plan participants and beneficiaries.” While the DOL has yet to issue guidance for fiduciaries, plan sponsors can, and should, take steps to ramp up cybersecurity. And in today’s unpredictable digital environment, it is not enough to have a “react and defend” strategy after the fact; proactive approaches to cybersecurity and continuous monitoring are also critical. As the saying goes, the best defense is a good offense. One of the challenges is knowing where to start. Here are some tips for protecting participants and plan assets:

Build cybersafety into company culture

If you don’t have one yet, establish a program that sends phishing simulations to your population with just-in-time training if they click on a suspicious link. Institutions with a phishing awareness program are able to lower their susceptibility from the industry average of 30%.17

Leverage two-factor authentication when administering plans and on all accounts

Multifactor authentication, like entering a one-time passcode, can add an extra layer of security during the login process. Even if a cybercriminal obtained a username and password, they shouldn’t be able to complete two-factor authentication without access to the one-time passcode from a secondary authentication device, like a mobile phone.

Practice least privilege when assigning administrative access rights

Only give the amount of access an employee administrator needs to do the functions required of their role. Even if this person’s credentials were compromised or they became a malicious insider, they would only have access to nonfinancial information. The fewer individuals with access to sensitive data, the more secure the plan will be.

Enlist the help of the recordkeeper

When selecting a recordkeeper, plan sponsors should get a clear picture of their cybersecurity practices and also understand how the recordkeeper will work with them should a breach occur. Many recordkeepers create educational materials and resources that are both available to participants on their website, or made available directly to the plan sponsor to include in participant information packets.

Help participants protect themselves

Educate participants on safeguarding their accounts and personal information. It may sound basic, but many participants often view their 401(k) plan as something to “set and forget.” Encourage them to regularly check their accounts for unauthorized activity, protect their passwords and login information and make sure their contact information is up to date.

Plan sponsor responsibility

In the absence of specific guidance from the DOL, plan sponsors must still act in a fiduciary capacity under ERISA’s best interest clauses, as well as adhere to data privacy requirements for electronic notices. The chart below breaks down the regulatory guidelines for plan sponsors’ fiduciary duties related to cybersecurity and electronic distribution of plan information.

Regulations and cybersecurity

Staying vigilant

Cyberthreats are constantly evolving and becoming more sophisticated. As a result, plan sponsors must be one step ahead of hackers. By familiarizing themselves with the cybersecurity risks and developing a plan to circumvent them, plan sponsors can help protect the hard-earned savings that participants and their beneficiaries rely on in retirement.


12 Federal Bureau of Investigation, https://www.fbi.gov/investigate/cyber
13 Investment Company Institute (ICI).
14 Pension Research Council, “Benefit Plan Cybersecurity Considerations: A Recordkeeper and Plan Perspective.”
15 Security Magazine, October 2019.
16 Phishme, Armada Cloud Ransomware Statistics 2016, Krebsonsecurity.com/TIAA
17 Source: Knowbe4.com.

The views and opinions expressed are for informational and educational purposes only as of the date of production/writing and may change without notice at any time based on numerous factors, such as market or other conditions, legal and regulatory developments, additional risks and uncertainties and may not come to pass. This material may contain “forward-looking” information that is not purely historical in nature. Such information may include, among other things, projections, forecasts, estimates of market returns, and proposed or expected portfolio composition. Any changes to assumptions that may have been made in preparing this material could have a material impact on the information presented herein by way of example. Past performance is no guarantee of future results. Investing involves risk; principal loss is possible.

Please note that this information should not replace a client’s consultation with a professional advisor regarding their tax situation. Nuveen is not a tax advisor. Clients should consult their professional advisors before making any tax or investment decisions.

You are about to access our website for visitors outside of the United States.

You are about to access our website for Nuveen Global Cities REIT

You are leaving the Nuveen website.

You are leaving the Nuveen website and going to the website of the MI 529 Advisor Plan, distributed by Nuveen Securities, LLC.

The Nuveen website for institutional investors is available for you.

You are about to access our website for visitors outside of the United States.

Contact us
Contact us
Back to Top