DOL Guidance for Retirement Plan Cybersecurity
Earlier this year, the DOL’s Employee Benefits Security Administration issued cybersecurity guidance for retirement plan sponsors, fiduciaries, recordkeepers, and participants. It lays out the obligations of “responsible plan fiduciaries” to mitigate cybersecurity risks to retirement plan assets and participant data. Regarding best practices, the DOL guidance for retirement plan cybersecurity recommends a three-pronged approach:
Tips for hiring a retirement plan service provider
Retirement plan cybersecurity best practices
Online security tips for plan fiduciaries and participants
The DOL’s 3-Pronged Cybersecurity Plan
Given today’s heightened cybersecurity risks, adopting a security-first mindset is essential for advisors in the retirement plan space. By educating your clients about the DOL’s cybersecurity expectations, you’ll build relationships with retirement plan sponsors and increase the value you provide them.
How can you help protect the assets and participant data of your retirement plan clients? Let’s review the specifics of the DOL guidance for retirement plan cybersecurity.
1) Tips for hiring a retirement plan service provider. Many (if not most) plan sponsors rely on third-party service providers for assistance with plan administration and recordkeeping. You can help clients make the right decision for their plans by ensuring that they focus on the following best practices when vetting third-party vendors:
Ask about the service provider’s information security standards, practices, policies, and audit results. Your plan sponsor clients should compare this data with industry standards.
Learn how the service provider validates its practices and which levels of security standards it has met and implemented. Here, the focus should be on contract provisions that give the client the right to review audit results, demonstrating compliance with the standard.
Evaluate the service provider’s industry track record. Red flags might include information security incidents, litigation, or legal proceedings related to the vendor’s services.
Discuss whether the service provider has experienced past security breaches. If so, what happened? How did the service provider respond?
Find out whether the service provider has any insurance policies. Would such policies cover losses caused by cybersecurity and identity theft breaches?
Ensure that the service provider contract requires ongoing compliance with cybersecurity and information security standards. Some contract provisions may limit the service provider’s responsibility for information security breaches, while other terms enhance cybersecurity protection for the plan and its participants, including:
Information security reporting
Provisions on the use and sharing of information and confidentiality
Notification of cybersecurity breaches
Compliance with records retention and destruction, privacy, and information security laws
2) Retirement plan cybersecurity best practices. Developing a policy based on best practices will enable plan fiduciaries to act prudently and mitigate cybersecurity risk. Be sure to educate your plan sponsor clients on the following pillars of a good policy:
Create a formal, well-documented cybersecurity program to identify and assess internal and external cybersecurity risks that threaten the confidentiality, integrity, or availability of stored, nonpublic information. The program should:
Provide necessary protection
Identify cybersecurity events and respond to them
Work to restore operations and services
Establish strong security policies, guidelines, and standards.
Conduct annual risk assessments, as well as periodic cybersecurity awareness training.
Perform an annual third-party audit of security controls.
Define and assign information security roles and responsibilities.
Develop strong data access control procedures.
Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
Implement and manage a secure systems development life cycle (SDLC) program (i.e., a formal way of ensuring that adequate security controls are implemented).
Have an effective business resiliency program that addresses business continuity, disaster recovery, and incident response.
Ensure that sensitive data is encrypted while stored and in transit.
Implement strong technical security solutions and security best practices (e.g., regularly update antivirus software and back up data).
Appropriately respond to past cybersecurity incidents.
3) Online security tips for plan fiduciaries and participants. Although the following tips might be familiar, keeping them top of mind will help your clients and their plan participants reduce the risk of fraud and loss to their retirement accounts:
Register, set up, and routinely monitor any online retirement account.
Create strong and unique passwords.
Use multifactor authentication.
Keep personal contact information current.
Close or delete unused accounts.
Be wary of free Wi-Fi.
Be in the know regarding signs of phishing attacks.
Use antivirus software and keep apps and software current.
Cybersecurity Awareness Mindset
According to the DOL guidance for retirement plan cybersecurity, the policies described above are designed to help protect an estimated $9.3 trillion in plan assets. This vast sum highlights the cyberthreats faced by your plan sponsor clients and their plan participants. If you’re an advisor who supports or acts as a plan fiduciary, you have an obligation to do your part in educating your clients regarding cybersecurity. It’s also a good business practice—and an excellent way to build relationships with retirement plan sponsors.
For more information on cybersecurity, read our recent post on the importance of cyber liability insurance. We also recommend visiting the Cybersecurity Awareness Month website.
This material is for educational purposes only and is not intended to provide specific advice.