On April 14, 2021, the Department of Labor (DOL) released its first-ever guidance on cybersecurity for retirement benefit plan sponsors, record keepers, service providers, and participants. The guidance comes in three forms:
Plan Sponsors: Tips for Hiring a Service Provider with Strong Cybersecurity Practices
The DOL prepared this list of tips to help plan sponsors and fiduciaries “meet their responsibilities under ERISA to prudently select and monitor” service providers. Plan sponsors are encouraged to engage service providers that follow a recognized standard for information security and use a third-party auditor to review and validate cybersecurity.
While the guidance language appears to address new service providers, it is reasonable to assume that the DOL also expects fiduciaries to evaluate current providers to ensure they are able to meet the same obligations when it comes to cybersecurity.
Record Keepers and Service Providers: Cybersecurity Program Best Practices
Noting that “Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks,” the DOL has outlined 12 best practices for service providers and record keepers:
- Have a formal, well-documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
Recommendations on how to implement each of these best practices are also provided.
Plan Participants: Online Security Tips
This document provides participants with information on how to protect their retirement accounts from cybersecurity threats like phishing and urges them to engage in common cybersecurity practices such as routine monitoring of accounts, using strong passwords, employing multi-factor authentication, and more.
The DOL released this guidance two months after the U.S. Government Accountability Office (GAO) issued a report calling on the DOL to review its guidance on cybersecurity administration. The GAO report pointed to an elevated risk for cyber attacks due to the COVID-related shift to remote work over the past year as well as increased retirement plan litigation related to cyber hacks.
HBL has experience in all areas of benefits and employment law, offering a comprehensive solution to all your business benefits and HR/employment needs. We help ensure you are in compliance with the complex requirements of ERISA and the IRS code, as well as those laws that impact you and your employees. Together, we reduce your exposure to potential legal or financial penalties. Learn more by calling 678-439-6236.
Hall Benefits Law, LLC
