The Department of Labor (DOL) has just issued first-time retirement plan guidance to address cybersecurity risks for employers, plan fiduciaries, recordkeepers and plan participants. The guidance is in the form of recommended best practices to protect retirement benefits by providing strong cybersecurity practices for employers and plan service providers and online security tips for participants.
The concern is that with millions of dollars accumulating in retirement and 401(k) plans, without sufficient protections, participant data and plan assets may be at risk of cybersecurity threats. The guidance confirms the DOL’s view that cybersecurity is a fiduciary obligation and that plan fiduciaries should take reasonable and appropriate steps to protect their retirement plans and related participant data from cybersecurity breaches.
The guidance comes in three parts: (1) cybersecurity program best practices, (2) tips for hiring service providers with strong cybersecurity practices, and (3) online security tips for participants to protect their plan accounts.
Cybersecurity Program Best Practices. This is intended to help plan fiduciaries and recordkeepers manage cybersecurity risks. The guidance provides the following recommendations:
Formal, well-documented cybersecurity program
Prudent annual risk assessment
Reliable annual third-party audit of security controls
Define and assign information security roles and responsibilities
Strong access control procedures
Assets or data stored in a cloud or managed by a third-party service provider subject to appropriate security reviews and independent security assessment
Periodic cybersecurity awareness training (at least annually)
Have a secure system development life cycle (SDLC) program
Have a business resiliency program addressing business continuity, disaster recovery and incident response
Encrypt sensitive data, stored and in transit
Strong technical controls
Timely response to cybersecurity incidents
Tips for Hiring Service Providers with Strong Cybersecurity Practices. These recommendations help employers and plan fiduciaries satisfy their ERISA fiduciary duty to prudently select and monitor service providers with respect to cybersecurity.
Ask about the service provider’s information security standards, practices and policies, and audit results, and compare them to industry standards adopted by other financial institutions.
Ask the service provider how it validates its practices and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standards.
Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation and legal proceedings related to vendor’s services.
Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
Determine if the service provider has insurance policies that cover losses caused by cybersecurity and identity theft breaches.
Ensure that service contracts require ongoing compliance with cybersecurity and information security standards and beware of contract provisions that limit the service provider’s responsibility for IT security breaches.
Online Security Tips for Plan Participants. Employers should educate participants on the importance of online security and consider including these tips in participant communications and plan educational meetings.
Establish and routinely monitor online accounts
Use strong and unique passwords
Use two-factor authentication (for example, entering a code sent by text or email)
Keep personal contact information current
Close or delete unused accounts
Beware of public/free wi-fi
Beware of phishing attacks
Use antivirus software and update devices and apps regularly
Know how to report identity theft and cybersecurity incidents – the FBI and Department of Homeland Security maintain sites for reporting cybersecurity incidents:
This guidance clearly establishes that the DOL considers cybersecurity a fiduciary responsibility. Therefore, employers and plan fiduciaries should strongly consider these recommendations for their retirement plans, participants and plan service providers. They should review current practices and provider contracts and consider adopting a cybersecurity policy that includes the applicable best practice suggestions.
originally appeared on Source link