Cybersecurity Best Practices for Retirement Plans: How to Prepare for the Coming Department of Labor Cybersecurity Audits

Foley Hoag LLP - Security, Privacy and the Law
Contact

Foley Hoag LLP - Security, Privacy and the Law

Are your employer-sponsored retirement accounts exposed to cybersecurity threats?  How should you and those who are entrusted with your retirement assets mitigate cybersecurity risks?  The official who leads the Employee Benefit Security Administration of the U.S. Department of Labor (EBSA) addressed these questions at a recent conference, following EBSA’s April 14, 2021 release of cybersecurity guidance for retirement plans.  The guidance outlines what actions plan sponsors, fiduciaries, service providers and participants should take to safeguard retirement assets and personal information against cybersecurity threats.

The guidance impacts more than employers and other plan fiduciaries.  If you provide any services to a retirement plan and have access to plan-related data (such as in your capacity as the plan’s record keeper, custodian, actuary or auditor), you need to evaluate whether your cybersecurity programs are adequate in light of the 12 cybersecurity best practices outlined by EBSA.  These best practices range from encrypting sensitive data and documenting cybersecurity policies and procedures, to conducting annual risk assessments and training.  These EBSA best practices are generally consistent with cybersecurity guidelines issued by other regulators.  At a minimum, you should try to implement the best practices recommended by EBSA as part of your organization-wide cybersecurity program.

If you are an employer sponsoring a retirement plan for your employees, you have an obligation under law to prudently select and monitor service providers to the plan.  The EBSA guidance provides a list of “tips” for evaluating whether a service provider has robust cybersecurity policies and practices.  These tips encourage plan sponsors to conduct due diligence on the service provider’s cybersecurity programs, third-party audit reports and past security breaches, and to negotiate contractual terms (such as insurance coverage and notice of breach provisions) that will enhance cybersecurity protections for the plan and its participants.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP - Security, Privacy and the Law | Attorney Advertising

Written by:

Foley Hoag LLP - Security, Privacy and the Law
Contact
more
less

Foley Hoag LLP - Security, Privacy and the Law on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.