U.S. Department of Labor Addresses Security of Retirement Plan Accounts:

On June 26, 2023, the U.S. Department of Labor (the “DOL”) published a blog article titled “8 Tips for Protecting Your Retirement Savings Online.” Those tips are as follows:

  • Register, set up, and regularly monitor online account:  This reduces the risk of fraudulent account access and allows participants to identify and follow up on any suspicious activity promptly.
  • Use a strong and unique account password:  It is wise to avoid using dictionary words, sharing, reusing, or repeating passwords when creating an online retirement plan account. The DOL recommends using letters, numbers, special characters, and 14 or more characters and updating the password regularly (e.g., every 120 days).
  • Use multi-factor authentication (i.e., two-step verification):  Participants should take advantage of this feature, if available under their plan. If available, in addition to requiring a username and password to access the account, participants might be asked to verify their identity by using a fingerprint or by entering an email or text code.  
  • Keep account and personal information up to date:  Participants should update their contact information whenever it changes so they can be reached if there is a problem, and they should provide multiple communication options.
  • Free Wi-Fi is not always free:  When checking their retirement plan account, participants should not use a public Wi-Fi network because those networks can be accessed by criminals. Rather, participants should use their cell phone or home network for internet access.
  • Do not fall victim to phishing scams:  The DOL reminds participants that a phishing message may appear to be from a trusted organization, to lure participants into clicking on a link. Warning signs include an unexpected text message or email, spelling errors, or poor grammar.
  • Install antivirus software and keep apps and software up to date:  Outdated software and apps can be a security risk. Thus, the DOL states that participants should use trustworthy antivirus software and keep it and other software updated with the latest patches and upgrades.
  • Know how to report identity theft and cybersecurity incidents:  Victims of a cybersecurity attack can contact the FBI or the Department of Homeland Security to file a report at https://www.fbi.gov/file-repository/cyber-incident-reporting-united-message-final.pdf/view or https://www.cisa.gov/report.

The DOL blog article also informs participants that a retirement plan’s fiduciaries have a responsibility to protect the plan against cybersecurity risks. This includes ensuring that recordkeepers and other plan service providers who are responsible for plan-related IT systems and data appropriately safeguard participants’ information. 
Retirement plan sponsors may wish to consider sharing this information with their plan’s participants.