The U.S Department of Labor’s (DOL) Employee Benefits Security Administration issued cybersecurity guidance related to retirement plans. Released on April 14, 2021, the DOL’s guidance is much anticipated after the COVID-19 pandemic opened doors for a variety of cybersecurity scams that left employers vulnerable to breaches. In fact, the guidance was published just weeks after the U.S Government Accountability Office released a report concerning “internal and external cybersecurity threats,” urging the agency to protect an estimated $9.3 trillion in retirement plan assets.
The guidance is directed toward three main parties, including recommendations for plan sponsors and fiduciaries, record keepers and other service providers to retirement plans, and plan participants and beneficiaries.
Tips for Hiring a Service Provider with Strong Security Practices
The first part of the DOL’s guidance addresses plan sponsors and other plan fiduciaries who rely on service providers to maintain plan records and keep participant data confidential. It identifies specific actions a plan sponsor should take when selecting a service provider, including:
- Asking about the service provider’s security standards, practice, and policies, and reviewing cybersecurity audit results;
- Asking the service provider how it validates its cybersecurity practices, as well as security measures have been implemented;
- Evaluating the service provider’s use and sharing of private and public information regarding cybersecurity incidents and legal proceedings relating to its services;
- Notification of whether the service provider has experienced cybersecurity breaches; and
- Asking whether the service provider has insurance policies that would cover losses resulting from cybersecurity breaches.
Cybersecurity Program Best Practices
As the second part of the DOL’s guidance, some best practices for retirement plans service providers should:
- Have a formal, well-documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
Online Security Tips
The final part of the guidance gives plan participants and beneficiaries tips on reducing the risk of fraud and loss to retirement accounts. The DOL’s guidance includes:
- Register, set up, and routinely monitor your online account;
- Use strong and unique passwords;
- Use multi-factor authentication;
- Keep personal contact information current;
- Close or delete unused accounts;
- Be wary of free Wi-Fi;
- Beware of phishing attacks;
- Use antivirus software and keep apps and software current; and
- Know how to report identity theft and cybersecurity incidents.
Employers should continue to monitor any future developments.
Employee Benefits Security Administration’s Tips for Hiring a Service Provider with Strong Security Practices (PDF)
Employee Benefits Security Administration’s Cybersecurity Program Best Practices (PDF)
Employee Benefits Security Administration’s Online Security Tips (PDF)