DOL publishes pointers on cybersecurity greatest practices within the retirement plan
The Department of Labor (the “DOL”) published guidelines on cybersecurity and privacy best practices for retirement plan providers and participants on April 14, 2021. Almost $ 10 trillion is held in retirement plans, making them a wealthy target for hackers and bad actors. In managing retirement plans, there is often a need for multiple parties to disclose and protect sensitive or personally identifiable information (“PII”). This means that plan sponsors and providers should set security standards if they have not already done so.
The participants trust that their providers and sponsors save their personal data. Therefore, there is a role for all parties to play in protecting against breach of this personal information. The DOL guidelines contain best practices and tips for all three groups to learn how to avoid a retirement benefit violation.
In particular, DOL has issued guidelines that cover:
- Cyber security program best practices for the plan service providers,
- Tips for Plan sponsors Hire service providers with strong cybersecurity practices and
- Online safety tips according to plan Attendees protect their accounts.
For providers, the DOL recommends the creation of a formally documented cybersecurity program to protect the information systems and information themselves from unauthorized access. There should be clearly defined security roles and responsibilities, as well as strict access control procedures. Sensitive information and data should be encrypted when stored or in transit and there should be strict technical controls overall. Service providers should conduct risk assessments and third party security controls reviews. And service providers should only work with well-vetted third parties who are themselves subject to appropriate security reviews or assessments.
In recruiting such plan service providers, DOL recommends that plan sponsors take reasonable care that the provider adheres to strict cybersecurity practices. A plan sponsor should look for vendors who have standards, practices, guidelines, and audit results in place, and an articulated plan for how those practices will be validated. Sponsors are obliged to protect the data of their participants. Therefore, sponsors should prioritize partnering with vendors who have well-documented track records, especially if they have experienced a security breach in the past. And sponsors should ensure that contracts with providers specifically require ongoing compliance with information security standards and procedures, such as: B. Information security audits, restriction of use or disclosure of information, notification of security incidents or breaches, compliance with applicable data protection and data security laws or regulations, and maintenance of ongoing cyber liability insurance coverage.
Finally, the DOL encourages plan participants to be smart about their online security and provides basic tips on how to monitor their accounts frequently, use unique passwords, and identify multiple factors, how to avoid free wifi, how to avoid phishing -Attacks and updating contact information if necessary. The DOL also encourages attendees to know when and how to report identity theft and cybersecurity incidents.
While these practices are particularly relevant in the retirement provision industry, they apply generally to all companies and industries. Having a comprehensive information security program to protect confidential or personally identifiable information is a best practice for all businesses (and a legal requirement for some).