Quick dive into DOL's new guidance for retirement plan cybersecurity

The Department of Labor announced new cybersecurity guidance for plan sponsors, plan fiduciaries, recordkeepers and plan participants just weeks after the U.S. Government Accountability Office released a report urging the agency to address cybersecurity risks in retirement plans.

The guidance includes best practices aimed at protecting Americans’ $9.3 trillion in retirement assets from cybersecurity risks. The DOL notes that for plans regulated by the Employee Retirement Income Security Act, “ERISA requires plan fiduciaries to take appropriate precautions to mitigate these risks.” 

Here’s a quick overview of the guidance, which covers considerations for hiring a service provider, cybersecurity best practices and online security tips.

Tips for hiring a service provider

The tips for hiring a service provider are directed at employers and fiduciaries and include advice they can use to evaluate potential third-party partners.

The document suggests plan sponsors ask about the service provider’s information security practices and policies and compare them with industry standards adopted by other financial institutions.

Service providers that use a third-party auditor to review and validate cybersecurity can add a layer of confidence and protection, the document said.

The guidelines further recommend plan sponsors look for partners that are transparent and willing to share audit results, and carefully evaluate past performance, security incidents and litigation.

Contracts with service providers should require ongoing compliance with cybersecurity and information security standards and plan sponsors should consider requiring insurance coverage for potential breaches.

Cybersecurity guidelines

The department’s cybersecurity guidelines include 12 best practices for use by recordkeepers and other service providers responsible for plan-related IT systems and data and for plan fiduciaries making decisions about hiring service providers. They include:

1. Create a formal, well-documented cybersecurity program that assesses internal and external cybersecurity risks that threaten confidentiality, integrity and availability of stored non-public information.
2. Perform annual risk assessments to identify, estimate and prioritize information system risks.
3. Hire an independent auditor to evaluate security controls and provide an unbiased report of risks, vulnerabilities and weakness annually.
4. Clearly define and assign information security roles and responsibilities managed at the senior executive level and executed by qualified personnel.
5. Establish strong access control procedures to guarantee that users are who they say they are and that they have appropriate access to IT systems and data through authentication and authorization.
6. Ensure assets and data stored in the cloud or managed by third-party providers are subject to appropriate security reviews and independent security assessments.
7. Provide cybersecurity awareness training at least annually for all personnel and update the training to reflect risks identified by the most recent risk assessment.
8. Create a secure System Development Life Cycle Program (SDLC) that ensures that security assurance activities such as penetration testing, code review and architecture analysis are an integral aspect.
9. Create a business resiliency program that addresses business continuity, disaster recovery, and incident response in the event of a breach.
10. Encrypt sensitive data stored and in transit.
11. Implement strong technical controls in hardware, software and firmware.
12. Take steps including notifying law enforcement, insurers, investigators and affected participants in the event of a breach and then fix the problem to prevent repeat occurrences.

Finally, the department provided online security tips aimed at plan participants. It ranges from advice for routinely monitoring accounts and using strong and unique passwords to being careful when using public Wi-Fi networks and being aware of phishing tactics.

Possible future reference to allocate responsibility for a breach

“DOL’s guidance is grounded in the premise that responsible plan fiduciaries have a duty to mitigate cybersecurity risk,” said Groom Law Group in a note about the guidance. “DOL also recognizes that participants and beneficiaries have an important role in cybersecurity. In the future, in the context of a benefit loss sustained by a participant due to a cybersecurity breach, possibly this guidance could be used as a reference to allocate responsibility for that loss, either in DOL enforcement actions, settlement actions, or even by courts.”

Kristen Beckman is a freelance writer based in Colorado. She previously was a writer and editor for ALM’s Retirement Advisor magazine and LifeHealthPro online channel. She also was a reporter for Business Insurance magazine covering workers compensation topics.