First Ever DOL Issued Cybersecurity Guidance
On April 14, 2021, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) issued cybersecurity guidance for employer sponsored retirement plans. This is the first ever issued guidance for plan sponsors, plan fiduciaries, recordkeepers, and plan participants to implement best practices around cybersecurity to protect retirement benefits.
What’s At Stake
Nowadays, plan sponsors are outsourcing many of their administrative duties to a third-party service provider. The third-party service provider typically utilizes an electronic recordkeeping system and the internet to store and aggregate employee data. This creates a potentially vulnerable environment for hackers to gain unauthorized access to accounts and participants’ personally identifiable information (PII).
As of 2018, EBSA estimates that there are 34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion. With this large number of plan participants potentially at risk, proper protection and safeguards are necessary.
DOL Best Practices & Guidance
The Employee Benefits Security Administration has included the following best practices for service providers who store and are responsible for employee data and plan fiduciaries who hire those service providers.
The guidance includes three sections:
1. Tips for Hiring a Service Provider
Plan Sponsors should hire service providers who have strong cybersecurity practices in place. PII is stored and maintained on their systems, so it is important to understand how they mitigate risk and ensure this sensitive data is protected. A few key tips include:
Discuss with your service provider their information security standards, policies, and audit results.
Compare these documents to what other service providers have in place to ensure your provider offers the best protection.
Find out if there is an insurance policy and a cybersecurity guarantee in place that would cover losses caused by cyber-attacks and identity theft breaches.
Learn if your service provider has experienced a security breach and if this has materially impacted their organization.
2. Cybersecurity Program Best Practices
Plan Fiduciaries are responsible for protecting participant data and mitigating cybersecurity risks. EBSA has prepared the following 12 best practices that plan fiduciaries should follow when selecting a service provider:
- Have a formal, well-documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
3. Online Security Tips
These tips are for plan participants and beneficiaries who check their retirement accounts online. The following tips provided by EBSA will help reduce the risk of fraud and loss to those accounts:
- Register, set up, and routinely monitor your account online.
- Use strong and unique passwords.
- Use multi-factor authentication.
- Keep personal contact information current.
- Close or delete unused accounts.
- Be wary of free WI-FI.
- Beware of phishing attacks.
- Use antivirus software and keep apps and software current.
- Know how to report identity theft and cybersecurity incidents.
Vigilance Is Key
Recently, there has been more litigation around cyber-attacks across all industries. While there are few notable cybersecurity lawsuits against retirement plans, there is no reason to say this cannot happen in the future. Most of these cybersecurity cases surface due to negligence issues. Now is the time to be prepared and on full alert.
These best practices will help shed some light on how to mitigate these risks and protect sensitive data. It is important for participants and plan sponsors to take the necessary precautions to prevent these attacks. The Acting Assistant Secretary for the Department of Labor’s Employee Benefits Security Administration, Ali Khawar, stated on April 14th, “The cybersecurity guidance we issued today is an important step towards helping plan sponsors, fiduciaries, and participants to safeguard retirement benefits and personal information.”
We Can Help
Cybersecurity concerns continue to be at the forefront for plan sponsors as hackers refine ways to acquire private information criminally. REDW Cybersecurity Consultant Jennifer Moreno and your ABG Southwest representative are available to you as a resource for any questions you may have on any cybersecurity issue. Email Jennifer to setup a cybersecurity consult, or Contact us.
ABG Southwest is a subsidiary firm of REDW LLC.