DOL begins reviewing retirement plans attributable to cybersecurity vulnerabilities | Bass, Berry & Sims PLC
To increase protection for America’s estimated $ 9.3 trillion in retirement assets, the Department of Labor (DOL) launched a new cybersecurity screening initiative for retirement plans. After DOL provided its initial cybersecurity guidance in April, it quickly began the review initiative by issuing requests for information and documents to numerous trustees of the 401 (k) plan. The DOL has stated that ERISA requires plan trustees to take appropriate precautions to mitigate the risks of cybercrime, and this new audit activity clearly shows that companies need to take steps to align their cybersecurity programs with the guidelines provided, or that they are at risk run from an exploratory and comprehensive examination.
The DOL cybersecurity guide is aimed at plan sponsors, plan trustees, record keepers and plan participants. It offers advice on how cybersecurity measures can best protect American workers’ retirement benefits. The DOL guidelines are divided into the following three documents:
- Tips for hiring a service provider
- Cybersecurity Program Best Practices
- Online safety tips
Tips for hiring a service provider
This document focuses on helping plan sponsors select quality service providers that have solid cybersecurity practices. It contains a list of questions that service providers can ask when evaluating the effectiveness of their cybersecurity plan. This guidance document also suggests specific provisions that Plan Sponsors should ensure they are included in any service provider contract. Such contracts should require the service provider to obtain annual third party cybersecurity audits, determine how quickly the plan sponsor will be notified in the event of a cyber incident or data breach, and require the provider to maintain insurance to cover losses due to cybercrime.
Cybersecurity Program Best Practices
This document reaffirms the commitment that plan trustees have to ensure adequate cybersecurity risk mitigation. The document provides a list of 12 best practices that accountants and plan-related IT systems managers should include in their cybersecurity plans. The list includes a formal, well-documented cybersecurity program; Maintaining strict access control procedures; and implementation of an effective business resilience program that addresses business continuity, disaster recovery and incident response.
Online safety tips
This document is aimed at plan participants and beneficiaries with the aim of reducing easily avoidable losses by implementing online risk mitigation techniques such as multi-factor authentication. The guide warns of the dangers of phishing attacks and lists signs that participants can look out for when proactively trying to spot a phishing scam before a data breach occurs.
Next steps for plan sponsors
While DOL audits have already started, it is never too late to start implementing better cybersecurity practices. Plan sponsors can prepare for an audit and ensure that their participants’ assets are protected by using the DOL’s guidelines to strengthen internal cybersecurity programs and by reaching out to current service providers to ensure external compliance. Click here for a list of sample DOL exam questions.
Plan sponsors may find it useful to review the list and spend time figuring out which questions are proving difficult to answer. This exercise can provide an actionable list of potential cybersecurity vulnerabilities that need to be addressed prior to an audit.