The guidance is targeted for plan sponsors, fiduciaries, and record keepers of all sizes and regulated by ERISA, as well as plan participants and beneficiaries. The release of the guidance is the first time that directions relating to cybersecurity has been outlined and issued by the DOL’s Employee Benefits Security Administration (EBSA).
Cybersecurity-related problems impact organizations of all shapes and sizes and can be a point of concern for both plan sponsors and plan participants. According to the EBSA, “there were more than 34 million defined benefit (DB) plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion” as of 2018. Without adequate protection and preparation, the EBSA notes that these participants and assets will continue to be at risk for internal and external cybersecurity threats. Plan sponsors and fiduciaries need to take appropriate action to ensure that impacts are effectively mitigated.
The guidance released by the DOL’s EBSA is divided into three parts: the first focusing on plan sponsors, the second focusing on record keepers and service providers, and the third focusing on plan participants.
Selecting a qualified and experienced service provider is a critical step in a successfully establishing a secured environment. Directed towards plan sponsors, the guidance focuses on best practices for hiring service providers. It is worth noting that the EBSA outlines the responsibility to “prudently select and monitor” service providers with strong cybersecurity practices to fall upon the employers and fiduciaries. All potential service providers should be evaluated and closely monitored. Several questions to ask a potential service provider include:
The guidance for record keepers and service providers outlines the basic rules to implement and ensure that the risk of fraud and loss to retirement accounts is mitigated. A snapshot of several high-level best practices include:
Plan participants and beneficiaries can reduce cyber threats and other risks to retirement accounts through consistent monitoring. Among the tips provided include:
The best practices and tip sheets outlined by EBSA should be considered by all organizations regardless of the size of the plan assets and participants. Organizations that already have a well-established cybersecurity strategy within their organization should continue to be prudent and monitor risks. Plan sponsors should continuously monitor the effectiveness of the cyber security controls of their service providers.