On Thursday April 14, 2021, the U.S. Department of Labor announced guidance for plan sponsors, plan fiduciaries, record keepers and plan participants on best practices for maintaining cybersecurity. This is the first time the Department has issued guidance on cybersecurity for employee benefit plans.

The guidance includes tips for plan sponsors and fiduciaries in selecting and hiring service providers, including:

• Compare the service provider’s information security standards, practices and policies, and audit results to the industry standards.
• Look for service providers that follow a recognized standard for information security and use a third-party auditor to review and validate its cybersecurity practices.
• Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented.
• Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to the service provider’s services.
• Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
• Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches.
• Make sure that the contract requires ongoing compliance with cybersecurity and information security standards – and beware of contract provisions that limit the service provider’s responsibility for IT security breaches.
• Also, try to include provisions addressing the following in your agreements with your service providers:
  • Information security reporting,
  • Clear provisions on the use and sharing of information and confidentiality,
  • Notification of cybersecurity breaches,
  • Compliance with records retention and destruction, privacy and information security laws, and
  • Insurance coverage.

The guidance also includes cybersecurity programs’ best practices to assist plan fiduciaries and recordkeepers in their risk mitigation responsibilities, including:

• Have a formal, well documented cybersecurity program.
• Conduct prudent annual risk assessments.
• Have a reliable annual third party audit of security controls.
• Clearly define and assign information security roles and responsibilities.
• Have strong access control procedures.
• Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
• Conduct periodic cybersecurity awareness training.
• Implement and manage a secure system development life cycle (SDLC) program.
• Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
• Encrypt sensitive data, stored and in transit.
• Implement strong technical controls in accordance with best security practices.
• Appropriately respond to any past cybersecurity incidents.

Lastly, the guidance includes online security tips for plan participants who access their accounts online.

The guidance may be found at here.