On April 14, 2021, the U.S. Department of Labor (DOL) introduced new cybersecurity guidance for retirement plans, including best practices to protect retirement plans from cyber threats. More recently, the DOL has begun to audit retirement plans specifically to see how well they are protected from potential cyber attacks. For plan sponsors, fiduciaries, and administrators, it is imperative that they be proactive in following the DOL’s guidance in this area and the recommended best practices. To begin, the DOL recommends hiring a qualified cybersecurity service firm.
Criteria for Hiring a Cybersecurity Service Firm
When selecting a cybersecurity firm, the DOL recommends that organizations should seek out a firm that:
- Follows a recognized standard for cybersecurity and information security, uses a third-party auditor to validate cybersecurity and adheres to these standards on an ongoing compliance basis (as specified in their contracts);
- Provides annual third-party audits to determine compliance with these standards (as specified in the contract);
- Validates its practices and meets high levels of security standards;
- Provides its customers with access to the results of third-party audits of their cybersecurity measures;
- Shares information about cyber breaches involving customers, corrective measures taken and results;
- Has a proven track record within the industry as attested to in public information (i.e., information security incidents, legal proceedings including litigation) involving the cybersecurity vendor’s services;
- Maintain insurance policies to cover losses caused by cybersecurity and identity theft breaches; and
- Has and observes strict policy guidelines regarding the use and sharing of information, adheres to a strict confidentiality agreement and complies with records retention and destruction privacy and information security laws (i.e., as specified in the contract).
Cybersecurity Measures for Plan Sponsors/Fiduciaries/Administrators
In addition to a prudent selection of a cybersecurity service provider, organizations responsible for protecting workers’ retirement plans are also advised by the Employee Benefits Security Administrator to make sure that all of the plans’ service providers:
- Have a formal, well-documented cybersecurity program,
- Conduct annual risk assessments,
- Have an annual third-party audit of security controls,
- Clearly define and assign information security roles and responsibilities,
- Have strong access control procedures,
- Ensure that assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent assessments,
- Conduct periodic cybersecurity training,
- Implement and maintain a secure system development life cycle program,
- Maintain an effective business resiliency program addressing business continuity, disaster recovery and incident response,
- Encrypt all sensitive data stored and in transit,
- Implement strong technical controls that reflect best security practices, and
- Respond appropriately to any cybersecurity incidents including informing law enforcement and the appropriate insurer, implementing full investigations, informing plans and participants of the incident in order to minimize and prevent further damage. Honor contractual and legal obligations relating to the breach, and take swift and comprehensive action to correct the problem that may have led to the incident or contributed to its existence.
With the DOL now moving forward with its retirement plan cybersecurity audits, it is imperative that plan sponsors, fiduciaries and administrators heed its guidance and implement the proper measures.