Cybersecurity Tips for Retirement Plan Sponsors | Sheppard Mullin Richter & Hampton LLP

The Department of Labor recently issued cybersecurity guidelines for retirement plans. The department’s Employee Benefits Security Administration (EBSA) has issued guidelines in three areas: (1) hiring and working with vendors and service providers; (2) Implement an internal cybersecurity program for the plan; and (3) online security for plan participants and end users.

Recommendations to plan sponsors and administrators are:

  • Inquiries from vendors what security practices they use and how these measures are validated;
  • Determination of the type and scope of the providers’ cyber insurance;
  • Establish a formal cybersecurity program and conduct annual risk assessments;
  • Use of security measures such as encryption and implementation of regular training courses;
  • Providing information to users about common risks such as free WiFi or improper password hygiene.

These guidelines provide clarity on how the EBSA will interpret electronic record keeping rules (which require plan administrators to put in place adequate controls and record management) and those relating to the fiduciary responsibilities of the plans. Although these cybersecurity recommendations were the first from the EBSA, they will be familiar to those familiar with other frameworks such as the NIST Cybersecurity Framework and other governmental guidelines for managing vendors. This includes the current NYDFS guidelines for supply chain management.

Putting it into practice: This first EBSA cybersecurity guideline signals their expectations for cybersecurity. The focus on vetting and onboarding service providers should be emphasized. These precautionary measures are particularly helpful when it comes to providers who have automated protection processes and / or precise knowledge of their customers’ IT systems (knowledge that could be exploited by a malicious actor). Plan sponsors and other trustees with existing cybersecurity programs will want to compare their control and vendor management programs with these three newly issued guidelines.

Comments are closed.