Cybersecurity Guidance For Fiduciaries

Tucker Arensberg, P.C.
Contact

Tucker Arensberg, P.C.

As of 2018, the DOL estimates that there are 34 million defined benefit (DB) plan participants in private pension plans and 106 million defined contribution (DC) plan participants with combined assets of $9.3 trillion. Without sufficient protection, these participants and assets may be at risk from internal and external cybersecurity threats.  The DOL notes that ERISA requires plan fiduciaries to take appropriate precautions to mitigate these risks.

The DOL guidance was issued in three forms.

  • Tips for Hiring a Service Provider:  This is designed to help plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.  You should inquire about the vendor’s practices and its track record.
  • Cybersecurity Program Best Practices:  This assists plan fiduciaries and recordkeepers to manage cybersecurity risks.  Best practices include having a formal, well documented cybersecurity program, scheduling annual risk assessments and conducting periodic awareness training.
  • Online Security Tips:  These offer tips to plan participants who check their retirement accounts online about reducing the risk of fraud and loss.  These tips include being wary of free Wi-Fi, and using strong and unique passwords.

According to the DOL, “This much-needed guidance emphasizes the importance that plan sponsors and fiduciaries must place on combatting cybercrime and gives important tips to participants and beneficiaries on remaining vigilant against emerging cyber threats.”

What Should You Do Next?

  1. Review the DOL Guidance.  It’s relatively brief and provides good practical insights.
  1. Meet with Your Recordkeeper.  Schedule a meeting between your Retirement Committee (or other plan fiduciary) and your plan recordkeeper to discuss the cybersecurity safeguards that it has in place.  Include your IT professionals in the meeting.  What are your recordkeeper’s security standards, practices and policies?  Will it share its annual audit reports?  How many cybersecurity professionals does it employ and what is its annual cybersecurity budget?  What insurance policies does it have in place for cybersecurity losses?  Has it experienced security breaches?  How proactive is it to stay one step ahead of the cybercriminals?
  1. Encourage Your Employees to Act Smarter.  Encourage them to use best practices when accessing their accounts. Using multi-factor authentication can be at least as important as using strong passwords. Developing a plan to communicate this message to your employees would be a good topic to discuss with your recordkeeper. 
  1. Revisit Your Service Agreement with Your Recordkeeper.  Does your service agreement with your recordkeeper require ongoing compliance with cybersecurity and information security standards?  Does it limit the vendor’s responsibility if there is a security breach?  Be sure it does not. 
  1. Schedule Annual Cybersecurity Updates.  Add cybersecurity updates with your recordkeeper as an annual agenda topic for future Committee meetings.  With everchanging technology, recordkeepers may be implementing new safeguards each year that are noteworthy.
  1. Document Whatever Your Do.  Document whatever cybersecurity meetings and discussions you have.  This may help you in the future to respond to challenges that you have not done enough.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Tucker Arensberg, P.C. | Attorney Advertising

Written by:

Tucker Arensberg, P.C.
Contact
more
less

Tucker Arensberg, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.