In an effort it describes as “an important step” toward safeguarding more than $9.3 trillion in retirement assets, the U.S. Department of Labor (DOL) published its first cybersecurity guidance last week (Cybersecurity Guidance). Significantly, the Cybersecurity Guidance formally states the DOL’s position that cybersecurity is a matter of fiduciary responsibility under the Employee Retirement Income Security Act of 1974, as amended (ERISA), stating that ERISA requires plan fiduciaries to take appropriate precautions to mitigate cybersecurity risks.
Although the Cybersecurity Guidance does not provide a minimum standard or safe harbor approach for mitigating cybersecurity risks, plan sponsors and other fiduciaries would be wise to assess the strength of their current cybersecurity practices and risk mitigation efforts against the best practices and tips set forth in Cybersecurity Guidance, which indicates that such plan sponsors and fiduciaries should do the following:
Select and monitor service providers with an eye toward cybersecurity. DOL guidance provides a series of questions that could serve as a starting point for this review and includes topics such as the service provider’s information security standards, track record, cybersecurity insurance coverage, and cybersecurity validation techniques. Plan sponsors and fiduciaries should carefully review the full list of DOL tips for hiring a service provider with strong cybersecurity practices.
Conduct periodic reviews of the cybersecurity programs of recordkeepers and other service providers responsible for plan-related IT systems and data and request that service providers demonstrate the manner in which their cybersecurity program reflects DOL best practices.
Review the terms of agreements with service providers to ensure they require ongoing compliance by the service providers with cybersecurity and information security standards and contain best practice provisions such as requiring prompt notification of cybersecurity breaches. At a minimum, plan sponsors should make efforts to address the list of contract provisions suggested by the DOL in its list of tips for hiring a service provider with strong cybersecurity practices.
Educate participants and beneficiaries who manage their retirement accounts online about online security. To the extent recordkeepers or other service providers already offer participants and beneficiaries training of this nature, they should review existing materials to confirm that they reflect all of the DOL’s online security tips.
originally appeared on Source link