Clear Disclosure Partners introduced a new service for retirement plan sponsors and fiduciaries—the Cybersecurity Risk Management Program for Retirement Plans.
Developing a prudent process for reviewing and improving retirement plan cybersecurity is one of the biggest emerging issues in the retirement industry. While the Employee Retirement Income Security Act (ERISA) does not mandate a written cybersecurity policy, plan sponsors are required to always act prudently and to document that process. Creating a cybersecurity risk management program for the unique requirements of individual plans is increasingly seen as a fiduciary “best practice” for retirement plan sponsors and fiduciaries, according to Clear Disclosure Partners.
Recently, cybersecurity concerns about retirement plans have been getting some high-level attention. At the end of 2018, the ERISA Advisory Council asked for guidance from the Department of Labor (DOL) about how plan sponsors should evaluate cybersecurity risks and requested they mandate that employers create a process to manage cybersecurity. This past February, Senator Patty Murray, D-Washington, and Congressman Bobby Scott, D-Virginia, sent a letter to the Government Accountability Office requesting that the GAO examine the cybersecurity of the retirement system.
“It’s our view, that by either regulatory mandate or “prescribed best practices,” retirement plan sponsors and fiduciaries will soon be compelled to oversee a cybersecurity program for their retirement plans similar to the cybersecurity program demanded of registered investment advisers,” says Dave Dickinson, president of Clear Disclosure Partners.
The Cybersecurity Risk Management Program develops and manages an ongoing cybersecurity program for retirement plans, including:
- A review of the cybersecurity risks and the unique “cyber circumstances” particular to each employer’s retirement plan.
- In consultation with the plan sponsor and fiduciaries, development of a prudent process for cybersecurity management including policies and procedures and a cybersecurity manual. The program must be tailored to the plan and not boilerplate.
- Review of plan provider cybersecurity policies and procedures including a review of contractual provisions relating to cybersecurity.
- Employee education about cybersecurity risk and best practices.
- Annual cybersecurity review and compliance meeting.
- Creation and maintenance of a cloud-based cybersecurity risk management program compliance file.