Shortly dive into DOL’s new tips for retirement plan cybersecurity
The Department of Labor announced new cybersecurity guidelines for plan sponsors, plan trustees, note takers, and plan participants just weeks after the U.S. Government Accountability Office released a report urging the agency to address cybersecurity risks in retirement plans deal.
The guidelines provide best practices for protecting Americans’ $ 9.3 trillion in retirement assets from cybersecurity risks. The DOL notes that for plans governed by the Retirement Income Protection Act, “ERISA requires plan trustees to take appropriate precautions to mitigate these risks.”
Here is a quick walkthrough of the guides, including considerations for hiring a service provider, cybersecurity best practices, and online security tips.
Tips for hiring a service provider
The tips on hiring a service provider are aimed at employers and trustees and provide advice to help them evaluate potential third-party partners.
The document suggests that plan sponsors ask about the service provider’s information security practices and policies and compare them with industry standards adopted by other financial institutions.
Service providers who use an outside auditor to review and validate cybersecurity can create a layer of trust and protection, the document says.
The guidelines also recommend that plan sponsors find partners who are transparent and willing to share exam results, and carefully evaluate past performance, security incidents and litigation.
Contracts with service providers should require ongoing compliance with cybersecurity and information security standards, and plan sponsors should consider seeking insurance coverage for possible violations.
The department’s cybersecurity guidelines include 12 best practices for use by note takers and other service providers responsible for plan-related IT systems and data, as well as plan trustees who make decisions about hiring service providers. They include:
- Create a formal, well-documented cybersecurity program that assesses internal and external cybersecurity risks that threaten the confidentiality, integrity, and availability of stored non-public information.
- Carry out annual risk assessments to identify, assess and prioritize information system risks.
- Hire an independent auditor to assess security controls and produce an unbiased report on risks, vulnerabilities, and weaknesses annually.
- Clearly define and assign roles and responsibilities for information security that are managed at the executive level and carried out by qualified personnel.
- Establish tight access control procedures to ensure that users are who they say they are and that they have appropriate access to IT systems and data through authentication and authorization.
- Ensure that assets and data stored in the cloud or managed by third parties are subject to appropriate security audits and independent security assessments.
- Provide cybersecurity awareness training for all employees at least once a year and update the training to reflect the risks identified by the most recent risk assessment.
- Create a secure system development lifecycle program (SDLC) that ensures that security measures such as penetration testing, code review, and architecture analysis are essential.
- Create a business resiliency program that covers business continuity, disaster recovery, and incident response in the event of a breach.
- Encrypt confidential data stored and stored in transit.
- Implement strong engineering controls in hardware, software, and firmware.
- Take action, including notifying law enforcement, insurers, investigators, and affected participants in the event of a breach, and remediate the problem to avoid recurrence.
Finally, the department provided online safety tips for plan participants. It ranges from advice on routinely monitoring accounts and using strong and unique passwords to being careful about using public Wi-Fi networks and knowing phishing tactics.
Possible future reference to the assignment of responsibility for a violation
“DOL’s guidelines are based on the premise that responsible plan trustees have an obligation to mitigate cybersecurity risk,” Groom Law Group said in a note on the guidelines. “DOL also recognizes that participants and beneficiaries play an important role in cybersecurity. In the future, in the context of a loss of performance suffered by a subscriber as a result of a cybersecurity breach, this guidance could potentially be used as a reference to assign responsibility for that loss in either DOL enforcement, settlement proceedings, or even courts. ”
Kristen Beckman is a freelance writer based in Colorado. She was previously the author and editor of ALM Retirement Advisor magazine and the LifeHealthPro online channel. She was also a reporter for Business Insurance Magazine, which covered issues related to compensation for employees.