Nearly one-third of recordkeepers expect to increase their cybersecurity staff, responding to an increased threat of retirement account fraud, according to the latest Cerulli Edge—U.S. Retirement Edition. Implementing an effective cybersecurity program will be essential to fostering a sustainable recordkeeping business and retaining defined contribution plan sponsor clients for the long term.

More than three-quarters (79%) of retirement specialist advisors indicate cybersecurity is a very important factor when selecting a recordkeeper. Yet, less than two-thirds of small-to-mid-sized plan advisors have a formal written process for conducting due diligence on recordkeepers’ fraud prevention practices, according to Cerulli’s findings. Plan fiduciaries without the in-house expertise to properly evaluate recordkeepers’ cybersecurity programs and practices should seek to leverage their plan sponsor’s IT specialists or consider working with a third party to aid them through this component of the request for proposal process.

To stay current with cybersecurity best practices, Cerulli recommends recordkeepers evaluate their cybersecurity measures within the context of the guidance issued by the Department of Labor and Spark Institute. “It is important for recordkeepers and plan fiduciaries to acknowledge that an effective cybersecurity program should be more than just an IT initiative,” says Shawn O’Brien, senior analyst. “Rather, effective cybersecurity practices should permeate every aspect of a provider’s business, including its customer engagements, account management, website development, and data transmission and warehousing.”

Implementing new technologies, such as biometric log-in credentials (i.e., thumb prints or facial recognition), is one part of building an effective cybersecurity practice. To prove effective, providers will need to play an active role in encouraging participants to adopt these technologies and enhance the security of their accounts and personal information on their own. Furthermore, recordkeepers should look to evaluate the cybersecurity practices of the service providers with whom they exchange or share participant data. “Ultimately, the greater the number of parties sharing participant data for a given plan, the more complicated securing that data comes,” adds O’Brien. “Implementing the proper procedures, controls, and software, as well as evaluating the security of shared service providers, are crucial to retaining clients and mitigating reputational damage.”