DOL Issues Cybersecurity Guidance for Retirement Plans
Earlier this year, the Department of Labor (DOL) outlined a range of practices for combatting the growing threat of cybercrime to ERISA-covered retirement plans. This first-ever cybersecurity guidance issued by the DOL’s Employee Benefits Security Administration (EBSA) casts a wide net, addressing key issues affecting plan sponsors, fiduciaries, recordkeepers, as well as plan participants and beneficiaries.
The DOL estimates that defined contribution and defined benefit retirement plans hold a combined $9.3 trillion in assets. These plans also store vast amounts of vital personal information online — information that could put participants and their assets at risk if a plan’s online systems were breached. In issuing this guidance, the DOL acknowledges the imminent risk posed by acts of cybercrime as well as the obligation of responsible plan fiduciaries, as set forth by ERISA, to help mitigate these risks.
Three Types of Guidance Issued
The DOL’s guidance is presented in three separate documents, each targeting a different audience. These best practices and tips are offered as recommendations for safeguarding the assets and personal information of plan participants while helping to reduce the risk of fraud and loss.
Tips for Hiring a Service Provider
This document aims to help retirement plan sponsors and fiduciaries meet their responsibilities under ERISA to prudently select and monitor service providers that follow strong cybersecurity practices. Specific recommendations include:
- Scrutinizing the service provider’s information security standards, practices, policies, and audit results;
- Evaluating its track record in the industry, including whether the provider has experienced any past security breaches and how it responded;
- Inquiring about any potential cyber insurance policies the service provider may hold that cover cybersecurity breaches; and
- Reviewing contracts to ensure that they include provisions for compliance with cybersecurity and information security standards.
Cybersecurity Program Best Practices
This document offers 12 best practices that address the needs of record keepers and other service providers responsible for managing plan-related IT systems and data, as well as the needs of plan fiduciaries who are responsible for hiring such vendors. The recommended practices include:
- Having a formal, well-documented cybersecurity program;
- Conducting annual risk assessments;
- Holding periodic cybersecurity awareness training sessions; and
- Implementing and maintaining strong technical controls in keeping with industry best practices.
Online Security Tips
While this tip sheet targets plan participants and beneficiaries, the information is also important for plan sponsors to know and potentially integrate into employee education programs focused on online safety. These tips include:
- Encouraging users to regularly monitor their accounts online;
- Creating strong passwords;
- Using multi-factor authentication;
- Being aware of (and knowing the signs of) phishing attacks; and
- Keeping antivirus applications and all system software up-to-date.
Building on Past DOL Guidance
Although the DOL noted that this guidance was an important “first step” in safeguarding retirement benefits and personal information, it also builds on earlier EBSA guidance that addressed electronic recordkeeping systems and controls for protecting the personal information of plan participants. In this way, the current guidance may serve as a call to action to plan sponsors, fiduciaries, and participants to review and update any established cybersecurity practices and protocols or to create a cybersecurity program using these recommendations.
While there is no way to eliminate the risk of cybercrime entirely, retirement plan sponsors who understand and take steps to incorporate the DOL’s guidance into their cybersecurity protocols will be on a more solid path to safeguarding their plan assets and participants’ vital information.
The DOL guidance should be viewed as guidance or recommendations rather than a set of minimum requirements or as regulations. These recommendations underscore the importance of constantly evaluating, testing, and improving your cybersecurity protocols amid a rapidly evolving threat landscape.
For additional guidance on optimizing cybersecurity practices to protect your organization’s retirement plan assets and participants, please connect with a member of MFA’s Cybersecurity Team.
Material discussed in this communication is meant to provide general information and should not be acted on without obtaining professional advice tailored to you or your company’s individual and specific needs. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used by any person or entity, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. This information is for general guidance only and is not a substitute for professional advice.
The information contained herein should not be construed as personalized investment advice. Investment in securities involves the risk of loss, and past performance is no guarantee of future results. There is no guarantee that the views and opinions expressed in this document will come to pass. Historical performance results for investment indexes and/or categories generally do not reflect the deduction of transaction and/or custodial charges or the deduction of an investment-management fee, the incurrence of which would have the effect of decreasing historical performance results. There can be no assurances that your portfolio will match or outperform any particular benchmark.
Information presented is believed to be factual and up-to-date; however, MFA makes no guarantee as to accuracy, completeness, suitability, or validity of any information within this communication and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages from its display or use. Any forward-looking statements are believed to be reasonable; however, MFA gives no assurance that such expectations will prove to be correct.