DOL Weighs in on Cybersecurity

The U.S. Department of Labor has cybersecurity guidance for plan sponsors, fiduciaries, recordkeepers and participants. The guidance aims to help safeguard an estimated $9.3 trillion in plan assets and pertains to employer-sponsored plans regulated by the Employee Retirement Income Security Act (ERISA).

Since ERISA covers retirement plans and health and welfare plans, you may be wondering whether the DOL's guidance applies only to retirement plans or to all ERISA-covered plans.

According to Groom Law Group, "notably, while some of the guidance package is framed in the context of retirement plans, the guidance appears to apply to all ERISA plans, including health and welfare plans, as the underlying fiduciary responsibilities and obligations are equally applicable in both contexts."

Ultimately, the guidance confirms that ERISA requires plan fiduciaries to mitigate cybersecurity risks and offers best practices in three areas:

1. Service provider selection.
2. Cybersecurity programs.
3. Online security.

1. Service provider selection

This part of the guidance provides tips for choosing service providers with strong cybersecurity practices in place.

For example, before hiring a retirement plan service provider:

• Ask them about their established information security policies, procedures and standards.
• Request to see their audit results and determine whether those results are in line with industry standards.
• Inquire about their levels of security and whether they have insurance to cover potential losses caused by a cyberattack.
• Find out whether they have suffered security breaches in the past. If so, what happened, and how did they respond?

For more information, see the DOL's Tips for Hiring a Service Provider With Strong Cybersecurity Practices.

 

2. Cybersecurity programs

As stated, service providers should have a strong cybersecurity system. The second part of the DOL's guidance helps plan fiduciaries understand the components of a strong cybersecurity system. They include:

• A formal, properly documented cybersecurity program.
• Annual risk assessments.
• Annual third-party audits.
• Periodic cybersecurity awareness training.
• Robust access control procedures.
• A program addressing business continuity, incident response and disaster recovery.
• A chief information security officer to oversee the cybersecurity program.

For more information, see the DOL's Cybersecurity Program Best Practices.

3. Online security 

This part of the guidance helps plan participants and beneficiaries who use the internet to check their retirement plans to lower the risk of fraud and loss.

The guidance offers online security tips for the following:

• Registering, setting up and monitoring an online account
• Utilizing strong and unique passwords.
• Applying multifactor authentication.
• Keeping personal contact information updated.
• Closing or deleting unused accounts.
• Being cautious of free Wi-Fi.
• Being wary of phishing attacks.
• Installing antivirus software and keeping it current.
• Knowing how to report cybersecurity incidents, including identity theft.

For more information, see the DOL's Online Security Tips. Also, help your plan participants protect themselves by informing them of the DOL's online security tips. Finally, note that this is just a summary of the major provisions. Consult qualified professionals and the original DOL guidance for essential details.