The U.S. Department of Labor has cybersecurity guidance for plan sponsors, fiduciaries, recordkeepers and participants. The guidance aims to help safeguard an estimated $9.3 trillion in plan
assets and pertains to employer-sponsored plans regulated by the Employee Retirement Income Security Act (ERISA).
Since ERISA covers retirement plans and health and welfare plans, you may be wondering whether the DOL's guidance applies only to retirement plans
or to all ERISA-covered plans.
According to Groom Law Group, "notably, while some of the guidance package is framed in the context of
retirement plans, the guidance appears to apply to all ERISA plans, including health and welfare plans, as the underlying fiduciary responsibilities and obligations are equally applicable in both
Ultimately, the guidance confirms that ERISA requires plan fiduciaries to mitigate cybersecurity risks and offers best practices in three areas:
Service provider selection.
1. Service provider selection
This part of the guidance provides tips for choosing service providers with strong cybersecurity practices in place.
For example, before hiring a retirement plan service provider:
Ask them about their established information security policies, procedures and standards.
Request to see their audit results and determine whether those results are in line with industry standards.
Inquire about their levels of security and whether they have insurance to cover potential losses caused by a cyberattack.
Find out whether they have suffered security breaches in the past. If so, what happened, and how did they respond?
As stated, service providers should have a strong cybersecurity system. The second part of the DOL's guidance helps plan fiduciaries understand the components of a strong cybersecurity system.
A formal, properly documented cybersecurity program.
Annual risk assessments.
Annual third-party audits.
Periodic cybersecurity awareness training.
Robust access control procedures.
A program addressing business continuity, incident response and disaster recovery.
A chief information security officer to oversee the cybersecurity program.
This part of the guidance helps plan participants and beneficiaries who use the internet to check their retirement plans to lower the risk of fraud and loss.
The guidance offers online security tips for the following:
Registering, setting up and monitoring an online account
Utilizing strong and unique passwords.
Applying multifactor authentication.
Keeping personal contact information updated.
Closing or deleting unused accounts.
Being cautious of free Wi-Fi.
Being wary of phishing attacks.
Installing antivirus software and keeping it current.
Knowing how to report cybersecurity incidents, including identity theft.
For more information, see the DOL's Online Security Tips. Also, help your plan participants protect themselves by informing them of the DOL's online security
tips. Finally, note that this is just a summary of the major provisions. Consult qualified professionals and the original DOL guidance for essential details.