As we all know, cybersecurity incidents have been increasing in number for several years. Many companies continue to focus on threats to their organization and continually shore up their IT practices and policies to minimize their risks. Often, however, management does not think about the cybersecurity threats to their benefit plans. In April 2021, the Department of Labor (DOL) released new cybersecurity guidance for plan sponsors, plan fiduciaries, recordkeepers and plan participants, indicating that the Employee Retirement Income Security Act of 1974 (ERISA) requires plan fiduciaries to take appropriate steps to mitigate cybersecurity threats to plan participants and plan assets.
The DOL guidance covers three main areas:
- Tips for plan sponsors in selecting service providers for the plan.
- Providing best practices in managing cybersecurity risks.
- Suggestions for plan participants in protecting their accounts when accessing their data online.
In the guidance for selecting service providers and best practices, the DOL provides a number of questions management should be asking third party providers, such as what their information security standards are and whether they have insurance, and sets forth what to look for when signing a contract with them. It also lists what practices they believe should be in place at these organizations. Many third party recordkeepers include information on their programs in their annual system and organization control reports (SOC-1) over their recordkeeping systems. Some also have SOC-2 engagements performed that address policies and procedures over security of their systems. Management should review these reports in conjunction with the DOL guidance and discuss any concerns with your plan provider representative.
In the guidance for participants, the DOL offers practical suggestions for reducing the risk of fraud and loss associated with plan balances. These include monitoring accounts for unusual activity, using strong passwords and multi-factor authentication, and providing a list of warning signs of phishing attacks. Plan sponsors should consider providing this guidance to new employees when instructing them on how to set up their online accounts, and periodically circulate the information thereafter to the employee population.
Now that the DOL has released this guidance, plan sponsors should expect that their cybersecurity and information security program practices and policies, including those of their third party providers, will be requested upon DOL audit. We suggest providing this guidance to your IT team to ensure policies and practices can be expanded where necessary to include consideration of risks to your plan assets and participants.
Read more about the DOL guidance here.