DOL Issues Cybersecurity Guidance for Retirement Plan Sponsors

JUNE 1, 2021

Since retirement plan administration and execution is now performed almost entirely on online electronic platforms, plan fiduciaries must confront the reality of cybersecurity threats to plan assets, participant data, and participant accounts. On April 14, 2021, the U.S. Department of Labor (DOL) issued new guidance on cybersecurity for defined contribution and defined benefit pension plans subject to ERISA. The guidance outlines best practices broken out into three groups, each addressing a different audience:

• For plan sponsors: Tips for Hiring a Service Provider With Strong Cybersecurity Practices
• For record-keepers: Cybersecurity Program Best Practices
• For plan participants: Online Security Tips

A summary of each set of guidance follows, which outlines the best practices for mitigating cybersecurity risks.

Tips for Hiring a Service Provider With Strong Cybersecurity Practices

To comply with ERISA’s requirement that retirement plan service providers are prudently selected and monitored, the DOL offers the following six recommendations:

1. Inquire about each service provider’s information security practices, policies and audit results, and compare to industry standards;
2. Ask each service provider what levels of security standards it implements and has met, and identify provisions of service provider’s agreement that permit the review of audit results demonstrating compliance with these standards;
3. Assess each service provider’s reputation by searching publicly available information on past security incidents, litigation and legal proceedings;
4. Ask service providers about any past security breaches, including what happened and how they responded;
5. Inquire about service provider’s insurance policies covering losses attributable to cybersecurity failures and identity theft breaches (both internal and external); and
6. Confirm service provider agreements require ongoing compliance with information security and cybersecurity standards, and an acceptable level of indemnification for IT security breaches (e.g., agreement addresses third-party audits, confidentiality requirements, notifications of cybersecurity breaches, record retention compliance standards and insurance).

Cybersecurity Program Best Practices

The DOL guidance describes 12 protocols for record-keepers and other service providers responsible for IT systems and data related to retirement plans. The guidance recommends the following:

1. Establish and maintain a formal, well-documented cybersecurity program;
2. Conduct a prudent annual risk assessment;
3. Engage a reliable third party to conduct an annual audit of security controls;
4. Clearly define and assign information security roles;
5. Establish strong access control procedures;
6. Confirm that any data or assets stored in a cloud or maintained by a third party are subject to security reviews and independent security assessments;
7. Conduct cybersecurity awareness training periodically;
8. Establish and manage a secure system development life cycle (SDLC) program;
9. Establish an effective business resiliency program that addresses business continuity, disaster recovery and incident response;
10. Encrypt stored and in-transit sensitive data;
11. Establish strong technical controls that reflect best security practices; and
12. Respond appropriately to and document any past cybersecurity incidents.

Online Security Tips

The DOL’s recommendations for retirement plan participants to secure their retirement plan accounts include routine monitoring of plan accounts, use of strong and unique passwords, use of multifactor authentication, keeping participant contact information current, closing unused accounts, avoiding free Wi-Fi when accessing accounts, and being aware of phishing attacks. Although not required, it is a good idea to provide these tips to plan participants.