Nationwide Account Lock

We support your participants by providing Nationwide Account Lock, which protects your participants with:

• Enhanced security that’s under their control
• Options to lock and unlock their account when they’re ready
• Notifications every time a distribution is requested, providing an extra layer of protection

As partners in protection against bad actors, we wanted to share some best practices with our plan sponsors specific to the daily account access and management you have.

1. Avoid oversharing personal information
   One of the most common ways that data breaches occur is through oversharing of personal information. Be cautious about the amount of personal information shared on your organization’s webpages, including bio or brag pages, and on social media. This can reveal information that can be used to target individuals.
   
   
2. Manage access
   Ensure timely revocation of access to the Plan Sponsor portal during staff turnover. The plan sponsor should notify the Recordkeeper of changes, adjust permissions as needed, and grant access based on job requirements. This maintains security and integrity within the organization.
   
   
3. Be vigilant for spotting Business Email Compromise (BEC)
   BEC is a type of phishing attack where fraudsters impersonate organization owners, executives, and/or key staff to deceive employees into transferring money or turning over confidential data. Here are some tips to spot BEC:
   
   
   • Check the sender: Hover over the sender’s name and check if it’s their legitimate email address.
   • Check the recipients: Look at the number of people the email is addressed to. Lots of random recipients could mean a phisher trying their luck.
   • Review your privacy settings across your social and professional accounts.
   • Flag suspicious emails as spam/junk in your email inbox.
     
     
4. Establish and maintain a cybersecurity policy
   A cybersecurity policy guides employees’ behavior with regard to the security of company information and IT systems. It helps protect the company’s information assets, including intellectual property, from unauthorized disclosure, modification, access, use, or destruction. The policy should include measures to protect company data and sensitive information, describe how employees can communicate with the company in the event of a breach, and articulate the strategies in place to reduce vulnerability, monitor for incidents, and address security threats. It should also define the who, what, and why regarding the desired behavior, and play an important role in an organization’s overall security posture. Public trust in an organization, employee engagement and investor confidence may suffer without strong information security protocols.
   
   
5. Follow DOL’s cybersecurity guidance
   The U.S. Department of Labor (DOL) has issued cybersecurity guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants. This guidance includes best practices for maintaining cybersecurity and tips on how to protect the retirement benefits of America’s workers.
   
   Here are some of key points from the DOL’s cyber guidance:
   
   
   • Service provider: Prudently choose a service provider with robust cybersecurity practices, ensuring the safety of retirement accounts.
   • Cybersecurity best practices: Implement a comprehensive cybersecurity program to manage risks associated with retirement accounts.
   • Online security: Encourage plan participants to follow basic online security measures to reduce the risk of fraud.
   • Annual risk assessments: Conduct annual risk assessments to identify vulnerabilities.
     
   • Third-party audit: Arrange for an annual third-party audit of security controls.
     
   • Cybersecurity training: Provide regular cybersecurity awareness training to all staff.
     
   • Data encryption: Ensure sensitive data, both stored and in transit, is encrypted.
   • Incident response: Have a plan in place to respond effectively to any cybersecurity incidents.