Which type of investor are you?
U.S. Institutional investor?
Crowded escalators and stairs

next issue no. 4: On the horizon

Cybersecurity in retirement plans: protecting participants

We have all seen the endless stream of headlines about identify theft, data breaches and cyberattacks. These cybercrimes now represent the fastest-growing type of crime in the United States.12 And not only are incidents of cybercriminal activity on the rise, the cyberthreat landscape is continuously evolving to include additional types of attack methods and vulnerable devices. In response, individuals and organizations are taking steps to protect their electronic assets from cyberthreats by ramping up cybersecurity measures, and retirement plans are no exception.

Retirement plans in the crosshairs

With so many security breaches in the news, many plan sponsors may be wondering whether their retirement plans are vulnerable to an attack. Indeed, with close to $6 trillion held in 401(k) plans, these plans have become an enticing target for cyber criminals.13 Not only do these plans hold large amounts of money, but they also collect personal information from plan participants, such as names, addresses, birth dates and Social Security numbers. Such data is highly valued by cybercriminals because the majority of it is permanently attached to the individual and can’t be easily changed.

Protecting the plan

While the information included in retirement plans is protected under numerous laws and regulations, there is currently no comprehensive federal law that governs cybersecurity in 401(k) plans.14 But the cybersecurity threat is so pervasive that lawmakers have asked the Government Accountability Office (GAO) to examine the cybersecurity of the U.S. retirement system. In a letter to the GAO, Senator Patty Murray and Congressman Bobby Scott identified several key questions, including current cybersecurity protections that are in place for retirement plans and what can be done about it in the future. Although the GAO has yet to respond, other industry groups have taken steps to address the issue. The ERISA Advisory Council has published considerations for cybersecurity in benefits plans and has also asked the Department of Labor (DOL) to issue guidance. The Society of Professional Asset-Managers and Record Keepers (SPARK) Institute has also created industry best practices for keeping data secure.

Types of cyberthreats:

Plan sponsors should familiarize themselves with some of the more common types of cyberattacks that have been used consistently in recent years.

Protecting participants: tips for plan sponsors

Under ERISA, plan fiduciaries, including plan sponsors, have the broad duty “to act solely in the interest of plan participants and beneficiaries.” While the DOL has yet to issue guidance for fiduciaries, plan sponsors can, and should, take steps to ramp up cybersecurity. And in today’s unpredictable digital environment, it is not enough to have a “react and defend” strategy after the fact; proactive approaches to cybersecurity and continuous monitoring are also critical. As the saying goes, the best defense is a good offense. One of the challenges is knowing where to start. Here are some tips for protecting participants and plan assets:

Build cybersafety into company culture

If you don’t have one yet, establish a program that sends phishing simulations to your population with just-in-time training if they click on a suspicious link. Institutions with a phishing awareness program are able to lower their susceptibility from the industry average of 30%.17

Leverage two-factor authentication when administering plans and on all accounts

Multifactor authentication, like entering a one-time passcode, can add an extra layer of security during the login process. Even if a cybercriminal obtained a username and password, they shouldn’t be able to complete two-factor authentication without access to the one-time passcode from a secondary authentication device, like a mobile phone.

Practice least privilege when assigning administrative access rights

Only give the amount of access an employee administrator needs to do the functions required of their role. Even if this person’s credentials were compromised or they became a malicious insider, they would only have access to nonfinancial information. The fewer individuals with access to sensitive data, the more secure the plan will be.

Enlist the help of the recordkeeper

When selecting a recordkeeper, plan sponsors should get a clear picture of their cybersecurity practices and also understand how the recordkeeper will work with them should a breach occur. Many recordkeepers create educational materials and resources that are both available to participants on their website, or made available directly to the plan sponsor to include in participant information packets.

Help participants protect themselves

Educate participants on safeguarding their accounts and personal information. It may sound basic, but many participants often view their 401(k) plan as something to “set and forget.” Encourage them to regularly check their accounts for unauthorized activity, protect their passwords and login information and make sure their contact information is up to date.

Plan sponsor responsibility

In the absence of specific guidance from the DOL, plan sponsors must still act in a fiduciary capacity under ERISA’s best interest clauses, as well as adhere to data privacy requirements for electronic notices. The chart below breaks down the regulatory guidelines for plan sponsors’ fiduciary duties related to cybersecurity and electronic distribution of plan information.

Regulations and cybersecurity chart

Staying vigilant

Cyberthreats are constantly evolving and becoming more sophisticated. As a result, plan sponsors must be one step ahead of hackers. By familiarizing themselves with the cybersecurity risks and developing a plan to circumvent them, plan sponsors can help protect the hard-earned savings that participants and their beneficiaries rely on in retirement.
Image of stacked colored chairs
next: Narrowing the gender retirement gap
Contact us
person image
Dimitrios N. Stathopoulos
Head of Americas Institutional Advisory Services
12 Federal Bureau of Investigation, https://www.fbi.gov/investigate/cyber
13 Investment Company Institute (ICI).
14 Pension Research Council, “Benefit Plan Cybersecurity Considerations: A Recordkeeper and Plan Perspective.”
15 Security Magazine, October 2019.
16 Phishme, Armada Cloud Ransomware Statistics 2016, Krebsonsecurity.com/TIAA
17 Source: Knowbe4.com.

The views and opinions expressed are for informational and educational purposes only as of the date of production/writing and may change without notice at any time based on numerous factors, such as market or other conditions, legal and regulatory developments, additional risks and uncertainties and may not come to pass. This material may contain “forward-looking” information that is not purely historical in nature. Such information may include, among other things, projections, forecasts, estimates of market returns, and proposed or expected portfolio composition. Any changes to assumptions that may have been made in preparing this material could have a material impact on the information presented herein by way of example.

Past performance is no guarantee of future results. Investing involves risk; principal loss is possible.

Please note that this information should not replace a client’s consultation with a professional advisor regarding their tax situation. Nuveen is not a tax advisor. Clients should consult their professional advisors before making any tax or investment decisions.


The 30-day Treasury Bill is a short-term debt obligation backed by the Treasury Department of the U.S. government with a maturity of less than one year.

The S&P 500® Index is a capitalization-weighted index of 500 stocks designed to measure the performance of the broad domestic economy.

Nuveen provides investment advisory solutions through its investment specialists.

This material is provided for informational or educational purposes only and does not constitute a solicitation of any securities in any jurisdiction in which such solicitation is unlawful or to any person to whom it is unlawful. Moreover, it neither constitutes an offer to enter into an investment agreement with the recipient of this document nor an invitation to respond to it by making an offer to enter into an investment agreement.

This material may contain “forward-looking” information that is not purely historical in nature. Such information may include projections, forecasts, estimates of yields or returns, and proposed or expected portfolio composition. Moreover, certain historical performance information of other investment vehicles or composite accounts managed by Nuveen may be included in this material and such performance information is presented by way of example only. No representation is made that the performance presented will be achieved, or that every assumption made in achieving, calculating or presenting either the forward-looking information or the historical performance information herein has been considered or stated in preparing this material. Any changes to assumptions that may have been made in preparing this material could have a material impact on the investment returns that are presented herein by way of example.

This material is not intended to be relied upon as a forecast, research or investment advice, and is not a recommendation, offer or solicitation to buy or sell any securities or to adopt any investment strategy. The information and opinions contained in this material are derived from proprietary and non-proprietary sources deemed by Nuveen to be reliable, and not necessarily all-inclusive and are not guaranteed as to accuracy. There is no guarantee that any forecasts made will come to pass. Company name is only for explanatory purposes and does not constitute as investment advice and is subject to change. Any investments named within this material may not necessarily be held in any funds/accounts managed by Nuveen. Reliance upon information in this material is at the sole discretion of the reader. Views of the author may not necessarily reflect the view s of Nuveen as a whole or any part thereof.

Past performance is not a guide to future performance. Investment involves risk, including loss of principal. The value of investments and the income from them can fall as well as rise and is not guaranteed. Changes in the rates of exchange between currencies may cause the value of investments to fluctuate.

This information does not constitute investment research as defined under MiFID.

Back to Top