62 US Route One, Cumberland Foreside, ME 04110

(207) 819-0310
Kristin@daybreakfinancial.com
Client Login

DOL Issues Cybersecurity Best Practices for Retirement Plan Sponsors

DOL Issues Cybersecurity Best Practices for Retirement Plan Sponsors

In recent years, cybersecurity—the protection of electronic data from unauthorized and criminal use—has become a keen focus for corporations, small businesses, and individuals alike.

Recently, the DOL weighed in on cybersecurity for the first time by providing guidance to businesses that sponsor a workplace retirement plan. This guidance provides best practices and tips for safeguarding the sensitive personal information of employees. It aims to help protect the personal data of more than 140 million working Americans who participate in workplace defined benefit or defined contribution plans, which represents an estimated $9.3 trillion in assets. To help retirement plan sponsors and fiduciaries organize their cybersecurity efforts, the DOL’s guidance is broken into three areas of focus, which are summarized below.

Tips for Hiring Service Providers

This section of guidance offers plan sponsors and fiduciaries key tips to help them prudently select a service provider—such as a recordkeeper, third-party administrator, or custodian—with strong cybersecurity practices and monitor its activities, as required by ERISA. Some of these tips include:

  • Inquiring about the service provider’s information security standards, practices, and policies and how those practices are validated and maintained on an ongoing basis
  • Evaluating the cybersecurity track record of service providers
  • Determining whether service providers hold insurance policies that would cover losses due to cybersecurity breaches

Cybersecurity Program Best Practices

The DOL prescribes ways that plan fiduciaries and recordkeepers can manage cybersecurity risks by creating and implementing a well-documented cybersecurity program. A cybersecurity program should:

  • Identify and assess internal and external cybersecurity risks that may threaten the confidentiality, integrity, or availability of stored nonpublic information
  • Evaluate ongoing risk with an annual assessment
  • Have a third-party audit of security controls
  • Have clearly defined and assigned information security roles and responsibilities and strong access control procedures.
  • Conduct cybersecurity awareness training for all personnel
  • Contain a plan for responding to cybersecurity incidents or breaches

Online Security Tips for Plan Participants

To provide an extra layer of defense for thwarting cyberattacks, participants and beneficiaries should be diligent and adhere to basic rules to reduce the risk of online fraud and loss. Tips to protect personal data include:

  • Routinely monitoring online retirement plan accounts
  • Using strong and unique passwords and multifactor authentication
  • Keeping personal information updated and current
  • Being wary of connecting to free Wi-Fi, which can open the door for cybercriminals to hack into personal accounts
  • Knowing the signs to identifying phishing attacks (Phishing is an attempt to trick individuals into sharing passwords, account numbers, and sensitive information, usually with a suspicious message that is disguised to look like it is from a legitimate organization.)
  • Using antivirus software and keeping apps current

Cybercrime is on the rise, with an estimated $4.2 billion in losses last year derived from nearly 800,000 cybercrime complaints, according to the FBI. As a good first step, business owners, retirement plan sponsors, and fiduciaries should familiarize themselves with the DOL’s guidance and review it carefully with their internal information security stakeholders. Then, schedule time to speak with service providers and a retirement plan advisor to organize a plan of action to ensure that their employees’ personal data and information is well-guarded.