Information security and your organization’s retirement plan

Company and employees who have protected their retirement accounts and information.

Security is a real concern for you and your employees and for companies like Principal® that manage data and financial accounts. That’s why we work together to help safeguard information and account access.

There are two things you can do today to help your employees and yourself.

1. Encourage online retirement account access

You may think it’s safer to avoid online account access and transactions, but it’s just the opposite. For example, when employees set up their Principal retirement accounts online, they set a unique password and activate an extra layer of protection called “two-factor authentication.”

Later, if they log in from an unrecognized computer or mobile phone, forget their password, or if we identify anything out of the ordinary, we send them a unique verification code by text message or email. They enter that code along with their username and password to access their account.

On the other hand, if they don’t establish online access, they leave the door open for someone else to do it. That’s a big risk that’s easy to prevent.

2. Double-check retirement plan security policies and procedures

If you’re a retirement plan fiduciary, you have responsibilities related to the security of employees’ personal and financial data. And if you’re like your peers, you may be paying more attention to cybercrime. In a recent survey, when asked about top areas of focus for the next 12 months, more retirement plan sponsors said cybersecurity. It moved from near the bottom of the list in 2017 to the middle for 2018.1

It’s important that the companies you work with have comprehensive security programs. That includes retirement plan service providers like Principal, your financial professional and your third party administrator, if you work with one. You should find out how they process data and protect personal and account information.

How do retirement plan recordkeepers help protect customer and account information? 

In the retirement industry, there’s focus on many aspects of security. Here are some examples of what we do.

  • Third-party verification. Checks and balances are important. An independent auditing firm reviews and evaluates our security measures on an ongoing basis and publishes its findings in a System and Organization Controls 2 (SOC2) report. The report covers controls related to security, confidentiality and availability of customer data. It confirms we’re helping fiduciaries meet their responsibilities.2
  • Customer protection. Security requires partnership, and we encourage our customers to help keep their accounts secure. For retirement plan customers, we offer a customer protection guarantee.  If they take three steps to protect their employer-sponsored retirement accounts and there’s unauthorized activity, we’ll reimburse the accounts.3
  • Online account security. Companies can help by requiring two-factor authentication and strong passwords. DALBAR, a financial services research firm, recently reviewed retirement plan providers’ requirements for plan participants’ passwords, and Principal ranked number two.4
  • Secure phone transactions. While many customers rely on websites, many still like to handle transactions over the phone. Our call centers rely on diligent processes and technology to prevent fraud.

Put retirement plan security on your to-do list

Make sure your employees understand the importance of online account access. You can share this online security article to give tips for strong passwords and account protection.

If Principal is your organization’s retirement plan service provider, you can find the SOC2 report in the Reports section of the secure Employer website.

Other questions? Please let us know. We’re here to help.

1 Callan, 2018 Defined Contribution Trends Survey, February 2018.

2 The SOC2 report is for DC, DB, ESOP and governmental 457 plan clients.

3 Employer-sponsored retirement plans are defined benefit or defined contribution (including employee stock ownership plans). The guarantee is effective for unauthorized activity that occurs on or after Aug. 10, 2017, and after participants have activated two-factor authentication. Some exclusions apply. See the details.

4 DALBAR WebMonitor, December 2017.

The subject matter in this communication is educational only and provided with the understanding that Principal® is not rendering legal, accounting, investment advice or tax advice. You should consult with appropriate counsel or other advisors on all matters pertaining to legal, tax, investment or accounting obligations and requirements.

Insurance products and plan administrative services provided through Principal Life Insurance Co., a member of the Principal Financial Group®, Des Moines, Iowa 50392.