To increase protections for the estimated $9.3 trillion in American retirement assets, the Department of Labor (DOL) has begun a new cybersecurity audit initiative for retirement plans. After providing its first set of guidance on cybersecurity in April, the DOL quickly began the audit initiative by issuing information and document requests to numerous 401(k) plan fiduciaries. The DOL has stated that ERISA requires plan fiduciaries to take appropriate precautions to mitigate the risks of cybercrime and this new audit activity clearly indicates that companies must take steps to align their cybersecurity programs with the guidance provided or risk being caught flatfooted by a probing and comprehensive audit.
The DOL’s cybersecurity guidance is aimed at plan sponsors, plan fiduciaries, record-keepers, and plan participants. It provides advice on how to best protect the retirement benefits of America’s workers through cybersecurity safeguards. The DOL’s guidance is broken down into the following three documents:
- Tips for Hiring a Service Provider
- Cybersecurity Program Best Practices
- Online Security Tips
Tips for Hiring a Service Provider
This document focuses on assisting plan sponsors in selecting quality service providers that have robust cybersecurity practices in place. It includes a list of questions to ask service providers when evaluating the effectiveness of their cybersecurity plan. This guidance document also provides suggestions of specific provisions that plan sponsors should ensure are included in any service provider contract. Such contracts should impose obligations on the service provider to obtain annual third-party cybersecurity audits, identify how quickly the plan sponsor will be notified in the event of any cyber incident or data breach, and require the provider to maintain insurance that covers losses due to cybercrime.
Cybersecurity Program Best Practices
This document reinforces the obligation that plan fiduciaries have to ensure proper mitigation of cybersecurity risks. The document provides a list of 12 best practices that record-keepers and those responsible for plan-related IT systems should include in their cybersecurity plans. The list includes having a formal, well documented cybersecurity program in place; maintaining strong access control procedures; and implementing an effective business resiliency program which addresses business continuity, disaster recovery, and incident response.
Online Security Tips
This document is addressed to plan participants and beneficiaries, with an aim to reduce easily preventable loss by implementing online risk mitigation techniques such as multi-factor authentication. The guidance document warns of the dangers that phishing attacks pose and lists signs that participants can look for when proactively attempting to identify a phishing scam before a data breach occurs.
Next Steps for Plan Sponsors
Although DOL audits have already begun, it is never too late to start implementing better cybersecurity practices. Plan sponsors can prepare for an audit and ensure that their participants’ assets are protected by using the DOL’s guidance to reinforce internal cybersecurity programs and by contacting current service providers to ensure external compliance. Click here for a list of example DOL audit questions.
Plan sponsors may find it useful to review the list and spend time identifying which questions would prove troublesome to answer. This exercise can provide an actionable list of potential cybersecurity weaknesses to be addressed prior to an audit.
