DOL Releases Cybersecurity Guidance for Plan Sponsors
The Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) today released a three-part guidance package on cybersecurity for plan sponsors, plan fiduciaries, service providers, and participants. This guidance comes on the heels of the Government Accountability Office (GAO) report on cybersecurity risks for retirement plans released earlier this year. An EBSA news release accompanies the guidance release.
Tips for Hiring a Service Provider with Strong Cybersecurity Practices is a list of tips and questions for plan sponsors and fiduciaries to ask of their service providers about the providers’ cybersecurity practices. The tips are designed “to help business owners and fiduciaries meet their responsibilities under ERISA to prudently select and monitor such service providers.” Fiduciaries are encouraged to ask about a service provider’s security standards and practices, how those practices are validated, and how the service provider responded to any past security breaches. Additionally, fiduciaries are advised to ensure that their contract with a service provider covers areas regarding cybersecurity protection for the plan and its participants.
Cybersecurity Program Best Practices is a list of 12 best practices that recordkeepers and other service providers responsible for plan-related IT systems and data should follow. While designed as best practices, in implementation the list appears to establish minimum standards that recordkeepers should follow regarding their IT systems that hold plan and participant data. Among the recommendations, the best practices define how a “prudently designed” cybersecurity program will operate, including reviews of annual risk assessments and third-party audits, and how a recordkeeper maintains access control of information among its employees. Recordkeepers are also advised to maintain business continuity, disaster recovery, and incident response plans.
Online Security Tips is a list of common-sense recommendations for participants and beneficiaries to follow to help reduce the risk of fraud and loss in their retirement accounts. While designed with retirement accounts in mind, this list provides good recommendations for all general online activity that everyone should keep in mind. Individuals are advised to register and routinely monitor their online accounts while using strong and unique passwords with multi-factor authentication. Being mindful of phishing attacks and wary of free wi-fi are also important to reduce a criminal’s access to one’s personal information and accounts.