Today, the U.S. Department of Labor announced new guidance for plan sponsors, plan fiduciaries, recordkeepers and plan participants on best practices for maintaining cybersecurity, including tips on how to protect retirement benefits. This is the first time the department’s Employee Benefits Security Administration (EBSA) has issued cybersecurity guidance.

Below is what they released today with web links – and some quick-read bullet points for you below:

1. Tips for Hiring a Service Provider with Strong Cybersecurity Practices
   • Plan sponsors should use service providers that follow strong cybersecurity practices.
   • Look for service providers that follow a recognized standard for information security and use an outside (third-party) auditor to review and validate cybersecurity.
   • Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
   • Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as a third party hijacking a plan participants’ account).
   • When you contract with a service provider, make sure that the contract requires ongoing compliance with cybersecurity and information security standards – and beware of contract provisions that limit the service provider’s responsibility for IT security breaches. You should check to make sure you know what requirements your recordkeeper puts on plan participants in order for the participant’s account to be made whole by the recordkeeper if there is a theft (e.g., do they require two-factor authentication in order for the recordkeeper’s “guarantee” to apply?).
   • They identified a list of contractual provisions that your contract with service providers should contain.
   • I would go over this at your next plan committee meeting with your recordkeeper and any other service providers – and document the review in your minutes.
2. Cybersecurity Program Best Practices
   • ERISA-covered plans often hold millions of dollars or more in assets and maintain personal data on participants, which can make them tempting targets for cyber-criminals. Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.
   • States that plan service providers should “conduct prudent annual risk assessments” and “[h]ave a reliable annual third party audit of security controls.”
   • Outlines what makes a prudent, well-documented cybersecurity program.
   • Again, ask your recordkeeper to provide a summary of how their program meets these standards – so your plan committee can be aware of that and document it for their minutes.
3. Online Security Tips for Retirement Plan Participants
   • I would consider having your recordkeeper send a tip sheet to plan participants ASAP
4. DOL Press Release