We use cookies to improve your experience and optimize user-friendliness. Read our cookie policy for more information on the cookies we use and how to delete or block them. To continue browsing our site, please click accept.

Cybersecurity Guidance for Employee Benefit Plans Released by the DOL

In April 2021, the Department of Labor (DOL) announced official guidance relating to cybersecurity best practices, including maintaining security frameworks, reducing cyber risks, and ensuring retirement benefits are protected.

The guidance is targeted for plan sponsors, fiduciaries, and record keepers of all sizes and regulated by ERISA, as well as plan participants and beneficiaries. The release of the guidance is the first time that directions relating to cybersecurity has been outlined and issued by the DOL’s Employee Benefits Security Administration (EBSA).

Cybersecurity-related problems impact organizations of all shapes and sizes and can be a point of concern for both plan sponsors and plan participants. According to the EBSA, “there were more than 34 million defined benefit (DB) plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion” as of 2018. Without adequate protection and preparation, the EBSA notes that these participants and assets will continue to be at risk for internal and external cybersecurity threats. Plan sponsors and fiduciaries need to take appropriate action to ensure that impacts are effectively mitigated.

The guidance released by the DOL’s EBSA is divided into three parts: the first focusing on plan sponsors, the second focusing on record keepers and service providers, and the third focusing on plan participants.

1. Tips for Hiring a Service Provider with Strong Cybersecurity Practices

Selecting a qualified and experienced service provider is a critical step in a successfully establishing a secured environment. Directed towards plan sponsors, the guidance focuses on best practices for hiring service providers. It is worth noting that the EBSA outlines the responsibility to “prudently select and monitor” service providers with strong cybersecurity practices to fall upon the employers and fiduciaries. All potential service providers should be evaluated and closely monitored. Several questions to ask a potential service provider include:

  • What information security standards, practices, and policies are in place, and how does it compare to industry standards?
  • What is the service provider’s track record with previous incidents, security breaches, or legal proceedings?
  • Does the service provider have insurance policies in place that would cover any losses caused by threats or breaches?
  • Is your contract with the service provider in compliance with cybersecurity and information security standards?

2. Cybersecurity Program Best Practices

The guidance for record keepers and service providers outlines the basic rules to implement and ensure that the risk of fraud and loss to retirement accounts is mitigated. A snapshot of several high-level best practices include:

  • Ensure the organization has a robust, well-documented cybersecurity program with strong security policies, guidelines, and standards that meet the provided criteria.
  • Conduct annual risk assessments to identify potentially concealed threats.
  • Third-party audits of the organization’s security controls (known as System and Organization Controls or SOC) can provide valuable information to assess risks associated with both operational and financial access to systems and data.
  • Distinctly identify the senior executive and management personnel in charge of the cybersecurity program, outlining their roles and responsibilities and ensure that they meet the qualifications needed to protect the organization successfully.
  • Enable access control methods such as authentication and authorization to ensure that only appropriate personnel have access to secured IT systems and data.

3. Online Security Tips

Plan participants and beneficiaries can reduce cyber threats and other risks to retirement accounts through consistent monitoring. Among the tips provided include:

  • Adopt a firm password policy, utilizing a combination of 14 or more upper and lower case letters, numbers, and special characters. The passphrase should be unique and not used in conjunction with other accounts.
  • Use multi-factor authentication, requiring computer users to provide multiple pieces of information to login to a system, program, or website.
  • Avoid using public Wi-Fi- networks.
  • Be vigilant for phishing attacks.
  • Review and update anti-virus and firewall configurations and ensure your operating system is current.

The best practices and tip sheets outlined by EBSA should be considered by all organizations regardless of the size of the plan assets and participants. Organizations that already have a well-established cybersecurity strategy within their organization should continue to be prudent and monitor risks. Plan sponsors should continuously monitor the effectiveness of the cyber security controls of their service providers.

Don’t delay – Reach out to a team member of Withum to protect your business and plan participants today.

Employee Benefit Services

Previous Post
Next Post
Article Sidebar Logo Cybersecurity Program Best Practices Read More

Get news updates and event information from Withum