Cybersecurity guidance from the DOL for retirement plan fiduciaries

Cybersecurity breaches are nothing new, with almost 4,000 data breaches reported in 2020, exposing more than 37 billion records.¹ And with an estimated $9.3 trillion in defined benefit and defined contribution assets as of 2018,² retirement plans are increasingly becoming targets. That’s why the DOL felt compelled to issue guidance for retirement plan fiduciaries. 

While you’re not expected to be a cybersecurity expert yourself, as a retirement plan fiduciary, you are required to be sure your service providers and participants all follow certain rules of conduct and best practices to protect plan data and accounts. 

The DOL spells out best practices and tips for selecting service providers, and shares a flyer for participants that outlines the measures they should take to protect their accounts. What follows are the highlights of the new DOL publications, with links to the documents, so you can dig into the details.

Assess the retirement plan provider’s cybersecurity program

As part of your regular due diligence on your service providers, make sure you uncover how they protect plan data and participant accounts. According to the DOL, you should ascertain that your service providers maintain a “formal, well-documented cybersecurity program” that includes the following best practices:  

Regular audits and assessments

• Perform annual risk assessments.
• Go through a third-party audit of security controls annually.
• Conduct periodic cybersecurity awareness training.

Clear, strong personnel processes 

• Define all roles and responsibilities regarding information security.
• Assign all roles and responsibilities regarding information security. 
• Create and maintain strong access control processes.

Secure data and systems

• For assets or data stored in a cloud or with a third party, the system/provider should be reviewed and assessed by an independent party.
• Implement and manage a secure system development life cycle (SDLC) program. 
• All sensitive data must be encrypted, both in transit and stored. 
• Create and maintain strong technical controls that adhere to security best practices.

Resiliency, continuity, and incident management

• The business resiliency program should incorporate: 
  • Business continuity 
  • Disaster recovery
  • Incident response measures
• The service provider should have a history of responding to cybersecurity incidents.
  

Five questions for your cybersecurity due diligence

The DOL goes on to list “tips for hiring a service provider with strong cybersecurity practices”. To follow the tips, you’ll want to ask these five questions:  

1. What are your information security standards, practices, and policies? Also ask them to share the results of independent audits. And then benchmark them to industry standards.
   
2. How do you validate your cybersecurity practices and what security standards have you implemented?
3. Have you ever had a security breach and how did you handle it? 
4. How much insurance coverage do you have for losses caused by cybersecurity and identity theft breaches, both external threats and internal misconduct?
5. How do you maintain ongoing compliance with cybersecurity and information security standards? Try to negotiate cybersecurity measures in the service agreement that cover: 

• Reporting on information security and audits
  • Keeping plan and participant data and information secure and confidential
  • How you’ll be notified of cybersecurity breaches
  • How the provider complies with record retention and destruction, privacy, and information security laws
  • How much insurance you expect the provider to carry to cover losses due to cybersecurity breaches

You’ll also want to do your own homework by looking at the provider’s track record. Research publicly available information to determine whether they’ve experienced any information or cybersecurity incidents, as well as any other litigation or legal proceedings.

Retirement plan participants are part of the cybersecurity solution

No matter how strong an organization’s policies are, it’s still vulnerable to an individual user’s carelessness with passwords, other accounts, email, and other online behavior. It’s part of your duty to make sure your employees are doing everything in their power to keep their accounts secure. So, the DOL also provides a cheat sheet you can share with your participants.

Make sure your participants understand these guidelines from the DOL and best practices followed in the industry:

• Why it’s important to:
  • Register your retirement account online
  • Monitor the account regularly
  • Keep contact information up to date
• How to create a smart username
• How to choose a secure password
• Not to select “remember passwords” on their computer
• The importance of multi-factor authentication
• Why they should close or delete any accounts they don’t use
• The importance of keeping private information private on social media
• The need to only answer security questions with answers that can’t be found online
• The danger of free and public WiFi
• How to avoid phishing
• To only use browsers that support 256-bit encryption
• Not to send financial or personally identifiable information over text or email
• The need to use antivirus software and keep apps up to date
• How to look for signs that a website is secure—the URL should start with https:
• How to report an incident

Take the DOL’s cybersecurity best practices and make them yours

As a retirement plan fiduciary, you don’t have to be an expert at information technology and cybersecurity. But you do have to make sure your service providers expertly maintain their technology infrastructure and cybersecurity systems. The DOL, in issuing its guidance, is both supporting you in your efforts and underscoring the importance of monitoring cybersecurity as a fiduciary duty.

1 “Risk Based Security releases its Year-End 2020 Data Breach Report,” securityinfowatch.com, 1/25/2021. 2   “U.S. Department of Labor announces new cybersecurity guidance for plan sponsors, plan fiduciaries, recordkeepers, plan participants,” U.S. Department of Labor, 4/14/2021.