Earlier this year, the DOL’s Employee Benefits Security Administration issued cybersecurity guidance for retirement plan sponsors, fiduciaries, recordkeepers, and participants. It lays out the obligations of “responsible plan fiduciaries” to mitigate cybersecurity risks to retirement plan assets and participant data. Regarding best practices, the DOL guidance for retirement plan cybersecurity recommends a three-pronged approach:

1. Tips for hiring a retirement plan service provider

2. Retirement plan cybersecurity best practices

3. Online security tips for plan fiduciaries and participants

The DOL’s 3-Pronged Cybersecurity Plan

Given today’s heightened cybersecurity risks, adopting a security-first mindset is essential for advisors in the retirement plan space. By educating your clients about the DOL’s cybersecurity expectations, you’ll build relationships with retirement plan sponsors and increase the value you provide them.

How can you help protect the assets and participant data of your retirement plan clients? Let’s review the specifics of the DOL guidance for retirement plan cybersecurity.

1) Tips for hiring a retirement plan service provider. Many (if not most) plan sponsors rely on third-party service providers for assistance with plan administration and recordkeeping. You can help clients make the right decision for their plans by ensuring that they focus on the following best practices when vetting third-party vendors:

• Ask about the service provider’s information security standards, practices, policies, and audit results. Your plan sponsor clients should compare this data with industry standards.

• Learn how the service provider validates its practices and which levels of security standards it has met and implemented. Here, the focus should be on contract provisions that give the client the right to review audit results, demonstrating compliance with the standard.

• Evaluate the service provider’s industry track record. Red flags might include information security incidents, litigation, or legal proceedings related to the vendor’s services.

• Discuss whether the service provider has experienced past security breaches. If so, what happened? How did the service provider respond?

• Find out whether the service provider has any insurance policies. Would such policies cover losses caused by cybersecurity and identity theft breaches?

• Ensure that the service provider contract requires ongoing compliance with cybersecurity and information security standards. Some contract provisions may limit the service provider’s responsibility for information security breaches, while other terms enhance cybersecurity protection for the plan and its participants, including:

  • Information security reporting

  • Provisions on the use and sharing of information and confidentiality

  • Notification of cybersecurity breaches

  • Compliance with records retention and destruction, privacy, and information security laws

  • Insurance

2) Retirement plan cybersecurity best practices. Developing a policy based on best practices will enable plan fiduciaries to act prudently and mitigate cybersecurity risk. Be sure to educate your plan sponsor clients on the following pillars of a good policy:

• Create a formal, well-documented cybersecurity program to identify and assess internal and external cybersecurity risks that threaten the confidentiality, integrity, or availability of stored, nonpublic information. The program should:

  • Pinpoint risks

  • Provide necessary protection

  • Identify cybersecurity events and respond to them

  • Work to restore operations and services

• Establish strong security policies, guidelines, and standards.

• Conduct annual risk assessments, as well as periodic cybersecurity awareness training.

• Perform an annual third-party audit of security controls.

• Define and assign information security roles and responsibilities.

• Develop strong data access control procedures.

• Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.

• Implement and manage a secure systems development life cycle (SDLC) program (i.e., a formal way of ensuring that adequate security controls are implemented).

• Have an effective business resiliency program that addresses business continuity, disaster recovery, and incident response.

• Ensure that sensitive data is encrypted while stored and in transit.

• Implement strong technical security solutions and security best practices (e.g., regularly update antivirus software and back up data).

• Appropriately respond to past cybersecurity incidents.

3) Online security tips for plan fiduciaries and participants. Although the following tips might be familiar, keeping them top of mind will help your clients and their plan participants reduce the risk of fraud and loss to their retirement accounts:

• Register, set up, and routinely monitor any online retirement account.

• Create strong and unique passwords.

• Use multifactor authentication.

• Keep personal contact information current.

• Close or delete unused accounts.

• Be wary of free Wi-Fi.

• Be in the know regarding signs of phishing attacks.

• Use antivirus software and keep apps and software current.

Cybersecurity Awareness Mindset

According to the DOL guidance for retirement plan cybersecurity, the policies described above are designed to help protect an estimated $9.3 trillion in plan assets. This vast sum highlights the cyberthreats faced by your plan sponsor clients and their plan participants. If you’re an advisor who supports or acts as a plan fiduciary, you have an obligation to do your part in educating your clients regarding cybersecurity. It’s also a good business practice—and an excellent way to build relationships with retirement plan sponsors.

For more information on cybersecurity, read our recent post on the importance of cyber liability insurance. We also recommend visiting the Cybersecurity Awareness Month website.