On April 14, 2021, for the first time ever, the U.S. Department of Labor’s Employee Benefits Security Administration published guidance for plan sponsors, plan fiduciaries, recordkeepers, and plan participants on best practices for maintaining cybersecurity.
This marks an important initial step in this growing area of concern by establishing minimum expectations for retirement plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act (ERISA).
The cybersecurity guidance was published by the DOL in three separate documents with highlights as follows.
Tips for hiring a service provider with strong cybersecurity practices
This guidance offers six tips to help plan fiduciaries meet their responsibilities under ERISA to prudently select and monitor service providers. Highlights of the tips for hiring a service provider include:
- Ensure they follow a recognized standard for information security and use a third-party auditor to review and validate cybersecurity.
- Ask them how they validate their practices and what levels of security standards they have met and implemented. Also ask for the right to review audit results demonstrating compliance.
- Evaluate their industry and public track record regarding cybersecurity and information security-related incidents.
- Inquire about past security breaches including what happened and how they responded.
- Find out whether they have any insurance policies covering losses caused by cybersecurity, identity theft breaches, or other internal and external threats such as their own employees, contractors, or third parties.
- Verify the contract with them requires ongoing compliance with cybersecurity and information security standards, while not limiting responsibility for IT security breaches.
Cybersecurity program best practices
This guidance includes 12 areas of focus plan fiduciaries should include to help ensure proper mitigation of cybersecurity risks.
- Have a formal, well-documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
Online security tips
This guidance is targeted toward retirement plan participants to help reduce risk of fraud and loss to retirement accounts. It includes several basic rules individuals should follow to help maintain security, such as: using strong, unique passwords and multi-factor authentication, registering, and routinely monitoring their online account, keeping contact information current, and using antivirus software. The tips also offer reminders such as being wary of free Wi-Fi, phishing attacks, closing or deleting unused accounts, and keeping apps and software patched.
A more secure future
The DOL guidelines are a step in the right direction in guiding the industry on cybersecurity. With this guidance as a starting point, my hope is that processes will standardize and provide confidence to plan sponsors of the maturity of a service provider’s cybersecurity program. I look forward to future developments from the DOL and discussions with our broader retirement community on best practices for maintaining cybersecurity. We’ll collectively work towards the common goal of protecting retirement benefits and information of America’s workers.
Plan fiduciaries are encouraged to work closely with their consultant and/or ERISA counsel to discuss the DOL guidance as they take appropriate precautions to help mitigate cybersecurity risk.