The U.S. Department of Labor (DOL) has released new guidance for plan sponsors, plan fiduciaries, recordkeepers and plan participants on best practices for maintaining cybersecurity, including tips on how to protect the retirement benefits of America’s workers. This is the first time the DOL’s Employee Benefits Security Administration (EBSA) has issued cybersecurity guidance.
As of 2018, the EBSA estimates that there are 34 million defined benefit (DB) plan participants in private pension plans and 106 million defined contribution (DC) plan participants with combined assets of $9.3 trillion. The agency notes that without sufficient protection, these participants and assets may be at risk from internal and external cybersecurity threats.
The DOL also noted that the Employee Retirement Income Security Act (ERISA) requires plan fiduciaries to take appropriate precautions to mitigate these risks.
The guidance comes in three forms.
The first piece of guidance is tips for hiring a service provider with strong cybersecurity practices and monitoring their activities. The EBSA recommends asking about a service provider’s security standards, practices and policies, as well as evaluating its track record in the industry.
The second piece of guidance lays out cybersecurity program best practices to help plan fiduciaries and recordkeepers stay on top of their responsibilities to manage cybersecurity risks. The best practices include having a formal, well-documented cybersecurity program; conducting annual risk assessments; clearly defining roles and responsibilities; and conducting periodic cybersecurity awareness training.
Lastly, the DOL issued online security tips aimed at plan participants and beneficiaries who check their retirement accounts online; they are basic rules to reduce the risk of fraud and loss, such as being wary of public WiFi and using strong, unique passwords.
“The cybersecurity guidance we issued today is an important step towards helping plan sponsors, fiduciaries and participants to safeguard retirement benefits and personal information,” said Acting Assistant Secretary for Employee Benefits Security Ali Khawar. “This much-needed guidance emphasizes the importance that plan sponsors and fiduciaries must place on combatting cybercrime and gives important tips to participants and beneficiaries on remaining vigilant against emerging cyberthreats.”
In March, the Government Accountability Office (GAO) called on the DOL to issue cybersecurity guidance, saying it failed to clarify fiduciary responsibility for mitigating cybersecurity risks and establish minimum expectations for protecting personally identifiable information and plan assets.
Even before the release, the shift to remote work in the past year in response to the coronavirus pandemic has raised concerns for plan advisers and plan sponsors about cyberattacks, as well as questions about whose responsibility it is to protect participant and plan data. In response, those in the financial advisory industry have increased their cybersecurity measures, especially as more firms have faced lawsuits. Plan sponsors are also being warned of a rise in retirement plan litigation related to cyberhacks.