First Ever DOL Issued Cybersecurity Guidance

On April 14, 2021, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) issued cybersecurity guidance for employer sponsored retirement plans. This is the first ever issued guidance for plan sponsors, plan fiduciaries, recordkeepers, and plan participants to implement best practices around cybersecurity to protect retirement benefits.

What’s At Stake

Nowadays, plan sponsors are outsourcing many of their administrative duties to a third-party service provider. The third-party service provider typically utilizes an electronic recordkeeping system and the internet to store and aggregate employee data. This creates a potentially vulnerable environment for hackers to gain unauthorized access to accounts and participants’ personally identifiable information (PII).

As of 2018, EBSA estimates that there are 34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion. With this large number of plan participants potentially at risk, proper protection and safeguards are necessary.

DOL Best Practices & Guidance

The Employee Benefits Security Administration has included the following best practices for service providers who store and are responsible for employee data and plan fiduciaries who hire those service providers.

The guidance includes three sections:

1. Tips for Hiring a Service Provider

Plan Sponsors should hire service providers who have strong cybersecurity practices in place. PII is stored and maintained on their systems, so it is important to understand how they mitigate risk and ensure this sensitive data is protected. A few key tips include:

Discuss with your service provider their information security standards, policies, and audit results.

Compare these documents to what other service providers have in place to ensure your provider offers the best protection.

Find out if there is an insurance policy and a cybersecurity guarantee in place that would cover losses caused by cyber-attacks and identity theft breaches.

Learn if your service provider has experienced a security breach and if this has materially impacted their organization.

2. Cybersecurity Program Best Practices

Plan Fiduciaries are responsible for protecting participant data and mitigating cybersecurity risks. EBSA has prepared the following 12 best practices that plan fiduciaries should follow when selecting a service provider:

  1. Have a formal, well-documented cybersecurity program.
  2. Conduct prudent annual risk assessments.
  3. Have a reliable annual third-party audit of security controls.
  4. Clearly define and assign information security roles and responsibilities.
  5. Have strong access control procedures.
  6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
  7. Conduct periodic cybersecurity awareness training.
  8. Implement and manage a secure system development life cycle (SDLC) program.
  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  10. Encrypt sensitive data, stored and in transit.
  11. Implement strong technical controls in accordance with best security practices.
  12. Appropriately respond to any past cybersecurity incidents.

3. Online Security Tips

These tips are for plan participants and beneficiaries who check their retirement accounts online. The following tips provided by EBSA will help reduce the risk of fraud and loss to those accounts:

  1. Register, set up, and routinely monitor your account online.
  2. Use strong and unique passwords.
  3. Use multi-factor authentication.
  4. Keep personal contact information current.
  5. Close or delete unused accounts.
  6. Be wary of free WI-FI.
  7. Beware of phishing attacks.
  8. Use antivirus software and keep apps and software current.
  9. Know how to report identity theft and cybersecurity incidents.

“With all the recent cyber incidents in the news, it’s reassuring to see the 2021 Guidance release from EBSA. It’s essential to routinely assess cybersecurity controls, understand your risks and how to mitigate them, continue training employees on current cybersecurity risks, and to assess the security controls of your third party administrative entities in order to protect the sensitive data of both employees and plan participants. This Guidance re-enforces technology best practices for plan fiduciaries and sponsors as well as their participants.”

REDW Information Technology & Cybersecurity Consultant Jennifer Moreno.

Vigilance Is Key

Recently, there has been more litigation around cyber-attacks across all industries. While there are few notable cybersecurity lawsuits against retirement plans, there is no reason to say this cannot happen in the future. Most of these cybersecurity cases surface due to negligence issues. Now is the time to be prepared and on full alert.

These best practices will help shed some light on how to mitigate these risks and protect sensitive data. It is important for participants and plan sponsors to take the necessary precautions to prevent these attacks. The Acting Assistant Secretary for the Department of Labor’s Employee Benefits Security Administration, Ali Khawar, stated on April 14th, “The cybersecurity guidance we issued today is an important step towards helping plan sponsors, fiduciaries, and participants to safeguard retirement benefits and personal information.”

We Can Help

Cybersecurity concerns continue to be at the forefront for plan sponsors as hackers refine ways to acquire private information criminally. REDW Cybersecurity Consultant Jennifer Moreno and your ABG Southwest representative are available to you as a resource for any questions you may have on any cybersecurity issue. Email Jennifer to setup a cybersecurity consult, or Contact us.

ABG Southwest is a subsidiary firm of REDW LLC.