Three action steps to help protect participant information


  • Cybersecurity is part of a retirement plan professional’s fiduciary responsibility.
  • Steps such as appropriately vetting service providers can help prevent breaches.
  • Seek and follow the advice of experts to help protect plan participants.

Early in 2024, ChatGPT was leaking password and username combinations in private chats. Around the same time, “the mother of all data breaches” exposed 26 billion records from popular sites such as LinkedIn, X and Dropbox.


Incidents like these are part of why information security is a global concern that companies spend billions of dollars to address — an industry estimated at more than $222 billion in 2023, according to Grand View Research.


As a retirement plan professional, you have a role to play in information security. The administration of retirement plans involves enormous amounts of sensitive data passing through many hands. Consider the banking account numbers, names, addresses, employment information and Social Security numbers required to fund retirement accounts. In the hands of bad actors, these pieces of data can cause significant harm.


Data leaks and breaches pose substantial risks to plan participants. As such, plan fiduciaries have a duty of care to protect personal information to the best of their abilities.


Here are three practical things you can do to ease this worry.

Take preventative measures for protecting participant data


The success of your cybersecurity efforts as a plan sponsor or financial professional is likely to hinge on the hiring of plan service providers — and your due diligence in assessing a vendor’s practices and history regarding data safety. Recognizing this, the Department of Labor (DOL) offers tips for hiring a service provider with strong cybersecurity practices. These include:

  1. Ask about the service provider’s information security policies and processes. Make sure that there are sufficient guardrails in place to help protect sensitive participant data. The DOL suggests considering a third-party auditor for this assessment.
  2. Look into the service provider’s track record. Have they experienced data breaches in the past, and if so, how were they handled? What steps were taken to prevent repeat incidents?
  3. Find out about insurance. Will the service provider’s insurance policies cover losses from data breaches or identity theft?
  4. Build information security into the contract. Be sure that ongoing compliance with cybersecurity best practices is a part of your contract — and watch for language that limits liability.


While there is no sure-fire protection against cyberthreats, attention to these matters in the vetting process is an important aspect of your fiduciary duty of care.

Train your fiduciaries and participants


When it comes to cyber risks, a significant vulnerability is the knowledge level of each link in the chain. Plan fiduciaries and participants both play a role here. Fiduciaries need to understand the role technology plays in prevention and how to monitor it. Plan participants need to understand the role their own actions play in protecting their own data.


Consider these various points of vulnerability:

  • Participant password habits. Weak, repeated or poorly stored passwords can be an easy entry point for malicious actors. Training on safer password practices can help.
  • Phishing and social engineering campaigns. Hackers use clever tricks to get individuals to surrender sensitive information. Awareness of these techniques and how to avoid the traps can help.
  • Fake-outs. With ever-growing sophistication, voices and phone numbers can be faked by bad actors. Training on how to verify identities and information can help.


Every individual involved in handling sensitive information, including and especially participants themselves, can benefit from training on basic cybersecurity principles.

Be ready for the breach


If major tech companies are susceptible to cyberthreats, you are too. In the event of a data breach, the Federal Trade Commission (FTC) offers guidance that includes:

  • Secure your operations. This includes quickly fixing any technological vulnerabilities that may have led to the breach as well as consulting legal counsel. Much of the forensic work outlined by the FTC will likely fall to your service providers, but it’s important to know how the breach occurred so the risk of repetition can be mitigated.
  • Notify appropriate parties. As the plan sponsor or financial professional, you may be involved in communications to plan participants that their data has been compromised. The FTC offers a model letter for notifying individuals whose Social Security numbers have been stolen. Make sure your communications clearly outline what happened and what individuals need to do to protect themselves in response.


While you can’t plan for every eventuality, knowing what to do in the event of a breach will help the process move more smoothly when and if it happens.

Help is always available


Ultimately, your job as a retirement plan professional is not to be an expert in cybersecurity, but rather to prudently seek assistance where it’s needed. As such, never hesitate to reach out to your local Capital Group retirement plan team for help navigating resources.

Jonathan Young is a senior national accounts manager with 34 years of investment industry experience (as of 12/31/2023). He holds a bachelor’s degree in speech communication from Old Dominion University, and he holds the Professional Plan Consultant® designation.

Investments are not FDIC-insured, nor are they deposits of or guaranteed by a bank or any other entity, so they may lose value.
Investors should carefully consider investment objectives, risks, charges and expenses. This and other important information is contained in the fund prospectuses and summary prospectuses, which can be obtained from a financial professional and should be read carefully before investing.
This material does not constitute legal or tax advice. Investors should consult with their legal or tax advisors.
Statements attributed to an individual represent the opinions of that individual as of the date published and do not necessarily reflect the opinions of Capital Group or its affiliates. This information is intended to highlight issues and should not be considered advice, an endorsement or a recommendation.
All Capital Group trademarks mentioned are owned by The Capital Group Companies, Inc., an affiliated company or fund. All other company and product names mentioned are the property of their respective companies.
Use of this website is intended for U.S. residents only. Use of this website and materials is also subject to approval by your home office.
On or around July 1, 2024, American Funds Distributors, Inc. will be renamed Capital Client Group, Inc.
This content, developed by Capital Group, home of American Funds, should not be used as a primary basis for investment decisions and is not intended to serve as impartial investment or fiduciary advice.