DOL Issues New Cybersecurity Guidance for Plan Sponsors, Fiduciaries, Record-Keepers and Participants

Cyber breaches have become increasingly more pervasive with new threats occurring on a daily basis. Given this and the fact that the Employee Benefits Security Administration (ESBA) estimates that, in the U.S. today, there are 34 million defined benefit plan participants and 106 million defined contribution plan participants in plans with assets totaling approximately $9.3 trillion, the Department of Labor (DOL) has issued, for the first time, cybersecurity guidance. Directed at plan sponsors, fiduciaries record-keepers and participants, the DOL’s guidance covers tips for hiring a service provider, best practices and online security tips.

Objectives

When making the announcement, DOL Acting Assistant Secretary for Employee Benefits Security Administration Ali Khawar stated, “The cybersecurity guidance we issued today is an important step towards helping plan sponsors, fiduciaries and participants to safeguard retirement benefits and personal information. This much-needed guidance emphasizes the importance that plan sponsors and fiduciaries must place on combatting cybercrime and gives important tips to participants and beneficiaries on remaining vigilant against emerging cyber threats.”

The DOL’s announcement noted that this latest cybersecurity guidance complements EBSA’s existing regulations on electronic records and disclosures to plan participants and beneficiaries which encompass provisions on:

• Ensuring that electronic recordkeeping systems have reasonable controls,
• Ensuring that there are adequate records management systems, and
• Ensuring that electronic disclosure systems include measures designed to protect Personal Identifiable Information.

Plan Service Provider Hiring Tips

1. The DOL offered the below tips to assess the quality of a service provider’s cybersecurity controls.
2. Compare the service provider’s information security standards, practices, policies and audit results to industry standards adopted by other financial institutions.
   Inquire as to how the service provider validates its practices and what security standards it has met and implemented.
3. Evaluate the service provider’s cyber performance by reviewing public information regarding security incidents, litigation and/or other legal proceedings involving the company.
4. Ask for the service provider’s history relating to security breaches and if any, request a complete accounting of what happened and how the company responded.
   Determine what, if any, insurance policies are in place to cover losses stemming from a cybersecurity and identity theft breach.
5. Build in ongoing compliance with cybersecurity and information security standards into any service provider contract and be especially cautious regarding any contract provisions, which may limit the service provider’s responsibility for IT security breaches. Include in your contract terms requirements for: annual third-party audits to determine compliance with information security policies and procedures, provisions on the use and sharing of confidential information without permission, notification of cybersecurity breaches, cyber breach insurance, and compliance with records retention and destruction, privacy and information security laws.

Watch for future blogs presenting the DOL’s recommended cybersecurity best practices and online tips.