Skip to main content

Department of Labor Provides Cybersecurity Guidance for Retirement Plan Sponsors, Fiduciaries, Record Keepers, and Plan Participants

In April of this year, the U.S. Department of Labor (DOL) published new guidance and best practices to reduce retirement plan cybersecurity risks. While directed at retirement plans and plan sponsors regulated by ERISA, the guidelines and practices are valuable for all retirement plan sponsors and plan participants.

Retirement plans are attractive targets for cybercriminals due to the amount of assets and data held in retirement plans. It is not only important to have measures to prevent data breaches and fraudulent distributions, but to have a plan in place to respond to such incidents.

The DOL’s guidance and best practices focus on three areas: best practices for plan sponsors and plan service providers, online security tips for plan participants, and tips for hiring service providers.

Cybersecurity Program Best Practices

The DOL’s Cybersecurity Program Best Practices, describe the best practices for retirement plans and retirement plan service providers. The best practices apply to plan sponsors and the plan vendors the sponsors select. These best practices include:

  1. Have a formal, well documented cybersecurity program.
  2. Conduct prudent annual risk assessments.
  3. Have a reliable annual third party audit of security controls.
  4. Clearly define and assign information security roles and responsibilities.
  5. Have strong access control procedures.
  6. Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
  7. Conduct periodic cybersecurity awareness training.
  8. Implement and manage a secure system development life cycle (SDLC) program.
  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  10. Encrypt sensitive data, stored and in transit.
  11. Implement strong technical controls in accordance with best security practices.
  12. Appropriately respond to any past cybersecurity incidents.

Online Security Tips

The DOL’s Online Security Tips provide practical advice to plan participants to reduce the risk of fraud. Many of these tips are common and well-known; however, it is always helpful to remind and encourage plan participants to follow these guidelines to keep their information and their retirement savings safe. Plan sponsors and plan providers may consider including these tips as part of ongoing communications and training for plan participants.

  • Register, set up, and routinely monitor online accounts
  • Use strong and unique passwords
  • Use multi-factor authentication
  • Keep personal contact information current
  • Close or delete unused accounts
  • Be wary of free wi-fi
  • Beware of phishing attacks
  • Use antivirus software and keep apps and software current
  • Know how to report identity theft and cybersecurity incidents

Tips For Hiring A Service Provider With Strong Cybersecurity Practices

Plan sponsors often employ record keepers, third party administrators, and service providers to administer operations of the plan and to provide retirement products and services for their plan participants. These service providers should be reviewed and monitored by plan sponsors to ensure these providers have strong cybersecurity measures in place. The DOL’s tips include:

  1. Ask about the service provider’s information security standards, practices, and policies, and audit results, and compare them to the industry standards adopted by other financial institutions.
  2. Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
  3. Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to vendor’s services.
  4. Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
  5. Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as a third party hijacking a plan participants’ account).
  6. When you contract with a service provider, make sure that the contract requires ongoing compliance with cybersecurity and information security standards – and beware contract provisions that limit the service provider’s responsibility for IT security breaches.

TC120980(0521)1

Craig Campbell

Craig Campbell

Senior Market Conduct & Compliance Associate