Cybercrime is a real threat to your 401(k) clients—but you can help

Image: Cybercrime is a real threat to your 401(k) clients—but you can help

Your clients can't afford to take cybersecurity for granted.

Why? Cyberattacks are on the rise, data theft is big business for cybercriminals, and workplace retirement plans aren’t immune.

In 2021 alone, the FBI reported an estimated $6.9 billion in losses derived from 847,000 cybercrime complaints.1 This year, weekly attacks on corporate networks are up 50%, and a hacker attack occurs every 11 seconds.2

Deliver more value by going beyond fiduciary basics
When discussing fiduciary obligations with your clients, go beyond fees and funds. Help your clients further mitigate their risk—while simultaneously turbo-charging your value—by adding cybersecurity best practices to your next 401(k) meeting agenda.

Here are ways to heighten cybersecurity awareness for plan sponsor clients:

  • Help them consider the right cybersecurity questions to ask when assessing and hiring 401(k) service providers.
  • Share common cybersecurity best practices and tips to help protect against attacks.


We think about cybersecurity all the time—so your clients don’t have to.
We designed our cybersecurity response program to help keep your clients' financial information safe and to comply with applicable federal and state laws.
Learn more about Ascensus' rigorous standards and why you and your clients can be confident in the strength of our data security practices.


1. Tips for assessing and hiring service providers

As a financial advisor, you help guide your clients’ service provider selections. You can also influence clients to prudently assess a provider’s cybersecurity protocols and readiness.

The Department of Labor (DOL) has a convenient preparedness and assessment blueprint for retirement plans3 that offers cybersecurity best practices. Share it with your clients so they can ask service providers these important questions:

What are your information security standards, practices and policies, and audit results?

    • Compare responses to industry standards adopted by other financial institutions.
    • Look for service providers that follow a recognized standard for information security and use an outside (third-party) auditor to review and validate cybersecurity.

How do you validate your practices, and what levels of security standards have you met and implemented?

    • Look for contract provisions that allow for the right to review audit results to demonstrate compliance with standards.

Have you experienced past security breaches?

    • Find out what happened and how the service provider responded to a breach.
    • Evaluate the service provider’s track record, including public information about data security incidents, other litigation, and legal proceedings related to the vendor’s service.

Do you have cybersecurity insurance?

    • Get a better sense of how the service provider is insured against risk and whether their policies would cover losses caused in a cyberattack or from identity theft.

Does the contract require ongoing compliance with cybersecurity and information security standards?

    • Be aware of contract provisions that limit the service provider’s responsibility for IT security breaches.
    • Include contract terms that enhance protection for the plan and its participants, such as information security reporting, clear provisions on using and sharing information and confidentiality, notification of breaches, compliance with records retention laws, and insurance.

2. Cybersecurity best practices for plan sponsors
Some of your clients—particularly small businesses that have fewer resources—may not feel adequately equipped to handle their cybersecurity threats. Sharing tips from the U.S. Small Business Administration (SBA) provides value to your clients by helping them mitigate risk. The following graphic provides a snapshot based on the SBA’s advice, or check out their website for the full set of recommendations.4

  • Secure networks
    Encrypt information and use a firewall. Ensure Wi-Fi networks are secure and hidden, password-protect router access, and use a Virtual Private Network (VPN) for remote employees.
  • Update software and use antivirus protection
    Configure software to auto-install updates. Routinely update operating systems, web browsers, and other applications.
  • Enable multi-factor authentication (MFA)
    Consider MFA for accounts such as financial, accounting, and payroll.
  • Monitor cloud accounts
    Evaluate using a Cloud Service Provider (CSP) to host information, applications, and collaboration services, especially in hybrid work environments.
  • Secure and back up sensitive data
    Control data access, and audit data and information hosted in the cloud. Regularly back up data on all computers, and institute weekly data backups to cloud storage.
  • Provide training
    Instruct employees on basic internet best practices. Employees and work-related communications are leading causes of data breaches.


The bottom line: We all want to be cybersecure—and you can help clients get there by sharing the latest tips and best practices.

You don’t have to be an IT guru to share expert resources that help your clients make more informed decisions and mitigate risks within their businesses. In the process, you’ll showcase your value, expand your influence, and build even more trust that leads to long-term, successful partnerships.

Ascensus' commitment to data security

Protecting the information and data in our systems is of paramount importance to Ascensus—but don’t just take our word for it. To validate the strength of our program and ensure we’re adhering to the highest standards, we collaborate with external experts and undertake regular security assessments, including:

  • System and Organization Controls 2 (SOC2) data security audits5
    This audit, completed by a third-party firm, assesses the controls we use to protect data.
    • Ascensus has completed an independently audited SOC2 assessment for the past five years. Auditor reports have never noted an exception to our security controls.
    • We also complete a SOC1 audit annually that has embedded controls for security-related topics such as access management and physical security.
  • International Organization for Standardization (ISO) 27001 certification5
    This is a widely recognized international data security standard that mandates adherence to specific requirements for information security management systems in order to be certified.
    • Ascensus is certified, delivering independent assurance that information security best practices definitively are in place. (Some recordkeepers say they follow ISO 27001 protocols without undergoing certification.)
    • We reaffirmed this certification through the Professional Evaluation and Certification Board (PECB) in December 2021.
  • Penetration testing
    We work with an external consultant annually to conduct in-depth probes of our information security defenses—helping to ensure we have no undiscovered vulnerabilities and to mitigate potential risks.

Learn more about our cybersecurity response program 


1 "FBI Releases the Internet Crime Complaint Center 2021 Internet Crime Report." U.S. Federal Bureau of Investigation press release. March 22, 2022. 

2 "2022 Cybersecurity Almanac: 100 Facts, Figures, Predictions and Statistics." Cybercrime Magazine, Cybersecurity Ventures second annual Cybersecurity Almanac. January 19, 2022.

3 "U.S. Department of Labor Announces New Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record-Keepers, Plan Participants." Employee Benefits Security Administration news release. April 14, 2021.

4 "Strengthen Your Cybersecurity." U.S. Small Business Administration. Accessed August 16, 2022.

Applies to Ascensus Retirement and Government Savings business lines.