The language used in the guidance indicates that the DOL considers protecting retirement plan assets and personal information through cybersecurity part of a plan sponsor’s fiduciary duties under ERISA. This cybersecurity duty is not a new concept and has been part of retirement plan lawsuits. However, this is the first time the DOL has issued cybersecurity guidance.
In the past, the DOL has only issued guidance on electronic disclosures. The new guidance mentions that “as of 2018, EBSA estimates that there are 34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion.” The DOL’s concern is the risk presented by both internal and external cybersecurity threats. Their guidance to help minimize these threats is very detailed and consist of three topics.
The first topic gives tips to plan sponsors and fiduciaries on questions they can ask to make sure they prudently select and monitor a service provider with strong cybersecurity practices. Some of the recommended questions pertain to the service providers' cybersecurity standards. Look for contract provisions that cover these and ask about their track record and past security breaches. And, find out if they have insurance that will cover losses caused by both internal and external cybersecurity breaches.
The second topic goes over cybersecurity best practices and is aimed at helping recordkeepers and plan fiduciaries minimize their cybersecurity risks. Some of the best practices listed are to create a well documented cybersecurity program managed at the senior executive level by qualified personnel and to have a third party audit of the controls and procedures in the program.
The third topic is online security tips aimed at helping plan participants and beneficiaries reduce their risk of loss due to fraud. Some suggestions encourage participants to routinely monitor their online account, use strong passwords and multi-factor authentication. Additionally, free and public WiFi is often easier for criminals to access their account. Unused accounts should be closed to minimize an online presence. And lastly, participants should protect themselves by watching out for phishing scams. They should leverage antivirus software and keep their contact information current with multiple communication options avaiable so they can easily be reached.
The FBI and the Department of Homeland Security have set up valuable sites for reporting cybersecurity incidents:
And as always, contact us
to learn more!