New ERISA pointers on cybersecurity of retirement plans | Vandeventer Black LLP
The Department of Labor (DOL) has just issued guidelines for the initial retirement plan to address cybersecurity risks for employers, plan trustees, note takers, and plan participants. The guidelines consist of recommended best practices for protecting retirement benefits by providing strong cybersecurity practices for employers and contractors, as well as online safety tips for attendees.
There is concern that subscriber data and plan assets with millions of dollars accumulating in retirement and 401 (k) plans without adequate protection could be at risk for cybersecurity threats. The guidelines affirm DOL’s view that cybersecurity is a fiduciary obligation and that plan trustees should take reasonable and proportionate steps to protect their retirement plans and associated participant data from cybersecurity violations.
The guide consists of three parts: (1) best practices for cybersecurity programs, (2) tips for hiring service providers with strong cybersecurity practices, and (3) online security tips for participants to protect their plan accounts.
Cyber security program best practices. This is to help assist trustees and note takers in managing cybersecurity risks. The guide includes the following recommendations:
- Formal, well-documented cybersecurity program
- Careful annual risk assessment
- Reliable annual review of security controls by third parties
- Define and assign roles and responsibilities for information security
- Strong access control procedures
- Assets or data stored in a cloud or managed by a third party are subject to appropriate security reviews and an independent security assessment
- Regular cybersecurity awareness raising (at least annually)
- Have a Secure System Development Life Cycle (SDLC) program
- Have an enterprise resilience program that addresses business continuity, disaster recovery, and incident response
- Encrypt sensitive data that is stored and on the go
- Strong technical controls
- Timely response to cybersecurity incidents
Tips for hiring service providers with strong cybersecurity practices. These recommendations help employers and fiduciary planners to fulfill their ERISA fiduciary duty to carefully select and monitor cybersecurity service providers.
- Find out about the service provider’s information security standards, practices, and guidelines, as well as the audit results, and compare them to industry standards from other financial institutions.
- Ask the service provider how they validate their practices and what security standards they have met and implemented. Look for contract terms that give you the right to review the exam results to demonstrate compliance with the standards.
- Assess the service provider’s track record in the industry, including public information on information security incidents, other litigation, and legal proceedings related to the services provided.
- Ask if the service provider has a history of security breaches, what happened, and how the service provider responded.
- Determine if the service provider has insurance policies that cover losses caused by cybersecurity and identity theft violations.
- Ensure that service contracts require ongoing compliance with cybersecurity and information security standards, and look out for contract clauses that limit the service provider’s responsibility for IT security breaches.
Online safety tips for plan participants. Employers should educate participants about the importance of online safety and consider including these tips in participant communications and planning training sessions.
- Set up online accounts and routinely monitor them
- Use strong and unique passwords
- Use two-factor authentication (e.g. entering a code sent via text or email).
- Keep your personal contact information up to date
- Close or delete unused accounts
- Beware of public / free Wi-Fi
- Beware of phishing attacks
- Use antivirus software and update devices and apps regularly
- Know how to report identity theft and cybersecurity incidents – the FBI and the Department of Homeland Security have cybersecurity reporting websites:
It is clear from these guidelines that DOL regards cybersecurity as a fiduciary responsibility. Therefore, employers and plan trustees should strongly consider these recommendations for their retirement plans, participants and plan service providers. You should review current practices and vendor agreements and consider adopting a cybersecurity policy that includes applicable best practice suggestions.