DOL publishes cybersecurity greatest practices for retirement plans
The Department of Labor’s Employee Benefits Security Administration (EBSA) released eagerly anticipated cybersecurity guidelines for employee retirement plans on April 14th. The core of the guidelines is that responsible plan trustees are required to ensure adequate mitigation of cybersecurity risks.
The EBSA has set out in the following materials on its website, although the “Online Safety Tips” are aimed at Plan participants rather than Plan Trustees:
Recommended course of action
Considering that employer-sponsored plans subject to the Employee Retirement Income Security Act (ERISA) contain “millions of dollars or more of assets and personal information of participants”, the EBSA guidelines set out a number of Best Listed practices that may be used by plan recorders and service providers Responsible for plan-related IT systems and data and plan trustees who are required to make prudent decisions when evaluating and selecting plan service providers. Some of EBSA’s best practices include:
- Run a formal, well-documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Implement a reliable annual third party security check audit.
- Follow strict access control procedures.
- Ensure that any asset or data stored in a cloud or managed by a third party has undergone appropriate security audits and independent security assessments.
- Conduct regular cybersecurity awareness training.
- Have an effective enterprise resilience program that addresses business continuity, disaster recovery, and incident response.
- Encrypt sensitive data that is stored and on the go.
EBSA fleshed out each of these best practices to give records, service providers and plan trustees more guidance in developing their own policies and procedures.
It’s worth noting that these best practices are not dissimilar to other known frameworks for protecting personal data. Organizations that have endeavored to comply with, for example, the HIPAA privacy and safety rules for group health plans, the Massachusetts data security regulations, or the New York SHIELD Act will have a head start on similar steps related to their retirement plans and / or their services to plans.
Select service provider
The selection of ERISA Plan Service Providers has long been an important fiduciary function for Plan Trustees. In its guidance, EBSA outlines key cybersecurity issues to consider when choosing service providers, including the following:
- Ask about the information security standards, practices, and policies of the service provider. and exam results and compare them to industry standards from other financial institutions. Plan sponsors can assume that a service provider referred by a trusted source with compelling marketing materials would have taken appropriate cybersecurity safeguards. As the saying goes, “Trust, but check.” This also applies to all third party plan providers, including large, well-known organizations.
- Ask the service provider how they validate their practices. and what security standards it has met and implemented. Look for contract terms that give you the right to review the exam results to demonstrate compliance with the standard.
- Ask if the service provider has seen any security breaches in the past. What happened and how did the service provider react? Since these incidents are reported frequently, you should review the news reports about the service provider’s response to the incident.
- Check if the service provider might have cyber insurance This would cover losses caused by cybersecurity violations and identity theft, including misconduct by employees or contractors of the service provider or by third parties hijacking a plan participant’s account.
- Take into account the willingness of the service provider to include contractual terms that require ongoing compliance with cybersecurity, clear rules about the use and disclosure of personal data, responsibility for security breaches, and other key terms that address the compromise of the plan, the plan sponsor and the participants.
It is important to note that no security precautions prevent all data breaches and no careful examination leads to the selection of an error-free service provider. In many cases, due to a data breach by a planning service provider, it cannot be justified to move away from this provider (here are some reasons for this).
Third-party plan service providers and plan trustees should take reasonable and prudent steps to implement safeguards that adequately protect the plan data. The EBSA guidelines should help those in charge get there, along with the Plan Trustees and the trusted advocate of the Plan Sponsors and other advisors.
Joseph J. Lazzarotti is an attorney at law with Jackson Lewis in Morristown, New Jersey. Joy M. Napier-Joyce is a principal in Jackson Lewis’ Baltimore, Md. Office and heads the Company’s Employee Benefits Practice. This article was originally published on the company’s website in a slightly longer form. © 2021 Jackson Lewis PC All rights reserved. Republished with permission.
Related SHRM items:
Pension Violation Blamed for Third Party Providers, SHRM Online, February 2021
Shore Up Taking Advantage of Cybersecurity with Open Registration, SHRM Online, September 2020
Securing Retirement: 401 (k) Plan Cybersecurity, SHRM Online, August 2019