In April 2021, the Department of Labor (DOL) issued cybersecurity guidance for plan sponsors, recordkeepers, and participants to help protect Americans’ retirement plan assets from cybercrime. This guidance fills a regulatory gap following several high-profile cases of theft from participant retirement plan accounts.
DOL Cybersecurity Guidance for Recordkeepers:
The DOL issued a 12-part checklist for service providers to include in their cybersecurity program. Items include conducting annual risk assessments, third-party audits, data encryption, and ongoing monitoring & training.
DOL Cybersecurity Guidance for Plan Sponsors:
The DOL issued Tips for Hiring a Service Provider with Strong Cybersecurity Practices. It includes an overview of what plan sponsors should include in their contracts with service providers and questions to include in a request for proposal from a service provider. This serves as a roadmap for ongoing monitoring of any service provider that has retirement plan data.
DOL Cybersecurity Guidance for Participants:
The DOL issued a short overview of Online Security Tips including reminders for participants such as the importance of registering their online account, password protection protocols, and general safety tips related to free Wi-Fi and phishing attacks.
Plan Sponsor Takeaways:
In issuing these materials, the DOL provided a clear roadmap for plan sponsors and service providers while emphasizing that under ERISA Section 404, plan fiduciaries are responsible for ensuring proper mitigation of cybersecurity risks as a part of their fiduciary responsibilities.
The plan sponsor guidance is the framework for a prudent process – a review of all relevant information (or that which the plan sponsor should know to be relevant), objective analysis of the information, and a decision that is documented. Cybersecurity should be a part of the process of selecting, monitoring, and replacing service providers for the plan sponsor to meet their fiduciary obligations under ERISA.
Action items for plans sponsors include:
- Updating RFP templates to include questions about cybersecurity
- Reviewing existing agreements between service providers and plans
- Educating committee on guidance as it pertains to their responsibilities
- Identifying service providers to whom this guidance applies
- Monitoring service provider adherence initially and ongoing
- Educating participants on cybersecurity best practices
If you have any questions about how cybersecurity may impact your current service provider search, contract, or monitoring, please reach out to your Pensionmark advisor or firstname.lastname@example.org.