Recordkeeping Cybersecurity Practices Should Make You Feel Secure

October 12, 2022 (UPDATED October 18, 2023)

Unwavering confidence. That’s the feeling employers should have with the data protection policies and practices of their retirement plan’s recordkeeper. However, frequent headlines of data breaches and protocol failures are solid reasons to ponder the security of their participants’ data.

Your organization cannot afford such risks and the resulting liabilities. Cybersecurity is a prime concern for you — and it also must be for your plan’s recordkeeper.

Implement Best Practices for Cybersecurity

Cybercrime is a constant threat that’s happening daily. The Identity Theft Resource Center reported 1,802 data breaches in 2022, impacting over 424 million people. It was a 70% increase in cybercrime victims from the previous year. Halfway through 2023, there have been 1,393 data compromises reported, affecting more than 156 million individuals.


Retirement plan recordkeepers are entrusted to protect their clients’ data, and that protection means going beyond technological methods to keep participant data safe. It also requires implementing cybersecurity best practices and protocols.

Recordkeepers and other service providers responsible for retirement-plan-related IT systems and data should adhere to these best practices established by the U.S. Department of Labor’s Employee Benefits Security Administration:

  1. Have a formal, well documented cybersecurity program.
  2. Conduct prudent annual risk assessments.
  3. Have a reliable annual third-party audit of security controls.
  4. Clearly define and assign information security roles and responsibilities.
  5. Have strong access control procedures.
  6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
  7. Conduct periodic cybersecurity awareness training.
  8. Implement and manage a secure system development life cycle program.
  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  10. Encrypt sensitive data, stored and in transit.
  11. Implement strong technical controls in accordance with best security practices.
  12. Appropriately respond to any past cybersecurity incidents.

Protecting client data is a key priority at USI Consulting Group (USICG), and maintaining the security of each client’s information and assets is a critical element of our business strategy. The best practices listed above are among the actions USICG takes to protect the data and assets of our clients.

Preventative Measures 24/7

USICG understands the level of trust and confidence that our clients place in us, and we take that responsibility seriously. To protect our clients and their assets, USICG has made significant investments in technology, resources and staff. Those investments are strengthened by the practices, policies and procedures we take every day to maintain the security of client data and assets.

Best practices are our daily routine. As a matter of fact, two of our regular practices focus on system access and data management. USICG prevents users from making unauthorized changes to corporate computers, supporting restricted access to the corporate network via a secure VPN utilizing complex passwords and multifactor authentication. In addition, client data is encrypted and isolated, requiring limited privilege to those who need access. Data is transferred between our partners utilizing “Secure File Transfer Protocol” tools and processes ensuring that files sent and received are encrypted to the highest standards.


Each organization’s data breach risks are unique. It’s important to assess your company’s risks and consider cyber insurance for peace of mind. Join our Cybersecurity Awareness Month Webinar Series, featuring USI cyber risk and insurance experts to discuss the urgent and emerging cyber risks specific to the healthcare, real estate, public entity and agriculture industries. View event dates and register today. (Replays of each webinar will also be available on demand.)

This information is provided solely for educational purposes and is not to be construed as investment, legal or tax advice. Prior to acting on this information, we recommend that you seek independent advice specific to your situation from a qualified investment/legal/tax professional.