As part of its efforts to protect an estimated $9.3 trillion in retirement plan assets from increasing “internal and external cybersecurity threats,” the Department of Labor (DOL) has issued its first guidance ever concerning cybersecurity and retirement plans. The guidance is intended for three interested groups with a stake in retirement plan administration: the sponsors and fiduciaries of retirement plans; the entities providing administrative and other services to retirement plans; and plan participants and beneficiaries.

The DOL’s new “Online Security Tips” for plan participants and beneficiaries offer a user-friendly summary of the kind of steps that individuals should take in any case to protect their personal financial and other information from online security threats. But plan sponsors and fiduciaries should take special heed of the “Cybersecurity Program Best Practices” and “Tips for Hiring a Service Provider with Strong Cybersecurity Practices” and modify their current administrative practices accordingly.

Practice Pointer: Plan sponsors and fiduciaries should anticipate that this new guidance will serve as the basis for future DOL retirement plan audits and adjust their security programs to follow the DOL’s best practices. Indeed, some plans are already seeing this issue as a component of random DOL plan audits.

Cybersecurity Program Best Practices

The DOL says that it has prepared its Cybersecurity Program Best Practices for use by recordkeepers and other plan service providers responsible for the protection of retirement plan data and to assist plan sponsors in making prudent decisions in selecting plan service providers. The far-reaching guidance is centered around 12 practices that plan sponsors and fiduciaries should expect their plan service providers to have implemented:

• Have a formal, well-documented cybersecurity program.
• Conduct prudent annual risk assessments.
• Have a reliable, annual third-party audit of security controls.
• Clearly define and assign information security roles and responsibilities.
• Have strong access control procedures.
• Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
• Conduct periodic cybersecurity awareness training.
• Implement and manage a secure system development life cycle (SDLC) program.
• Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
• Encrypt sensitive data, stored and in transit.
• Implement strong technical controls in accordance with best security practices.
• Appropriately respond to any past cybersecurity incidents.

Each of these elements is described in more detail in the guidance, in particular the best components of a strong set of written security policies and procedures to implement these recommended steps. If possible, plan sponsor and fiduciaries should request proof of such a written program of best practices and maintain it with the files for the plan.

Tips for Hiring a Service Provider with Strong Cybersecurity Practices

The DOL’s new Tips for Hiring a Service Provider with Strong Cybersecurity Practices similarly trace for plan decision makers the elements of a prudent process for the selection and the monitoring of retirement plan service providers. Plan sponsors and fiduciaries should be prepared to:

• Ask about the service provider’s information security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other financial institutions.
• Ask the service provider how it validates its practices, what levels of security standards it has met and implemented, and for the right to review audit results demonstrating compliance with the standard.
• Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to the vendor’s services.
• Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
• Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as a third party hijacking a plan participant’s account).
• Make sure that the contract with the service provider requires ongoing compliance with cybersecurity and information security standards, and avoid contract provisions that limit the service provider’s responsibility for security breaches.

In addition, contracts should include terms that would enhance cybersecurity protection for the plan and its participants, such as information security reporting, clear provisions on the use and sharing of information and confidentiality, notification of cybersecurity breaches, compliance with records retention and destruction, privacy and information security laws, and insurance.

Practice Pointer: It is especially important to note above the terms regarding cybersecurity issues that the DOL would expect to see in contracts with plan service providers. Plan sponsors and fiduciaries would be well advised to follow the process described in the Tips for Hiring a Service Provider with Strong Cybersecurity Practices and be prepared to document – and to produce such documentation upon audit – the steps taken in selecting and monitoring plan service providers.

As online threats to the security of personal information become more and more pervasive, it is more important than ever for plan sponsors and fiduciaries to maintain responsible, prudent practices to safeguard the account information of retirement plan participants and beneficiaries. The new DOL guidance puts the onus squarely on plan sponsors and fiduciaries and the service providers they engage to step up attention to these important issues, and it provides a road map of sorts to facilitate implementation of cybersecurity best practices. Plans should also expect to see increasing DOL audit activity with respect to plan cybersecurity practices.