DOL Begins Audit of Retirement Plans for Cybersecurity Shortfalls

Bass, Berry & Sims PLC
Contact

Bass, Berry & Sims PLC

To increase protections for the estimated $9.3 trillion in American retirement assets, the Department of Labor (DOL) has begun a new cybersecurity audit initiative for retirement plans. After providing its first set of guidance on cybersecurity in April, the DOL quickly began the audit initiative by issuing information and document requests to numerous 401(k) plan fiduciaries. The DOL has stated that ERISA requires plan fiduciaries to take appropriate precautions to mitigate the risks of cybercrime and this new audit activity clearly indicates that companies must take steps to align their cybersecurity programs with the guidance provided or risk being caught flatfooted by a probing and comprehensive audit.

The DOL’s cybersecurity guidance is aimed at plan sponsors, plan fiduciaries, record-keepers, and plan participants. It provides advice on how to best protect the retirement benefits of America’s workers through cybersecurity safeguards. The DOL’s guidance is broken down into the following three documents:

  1. Tips for Hiring a Service Provider
  2. Cybersecurity Program Best Practices
  3. Online Security Tips

Tips for Hiring a Service Provider

This document focuses on assisting plan sponsors in selecting quality service providers that have robust cybersecurity practices in place. It includes a list of questions to ask service providers when evaluating the effectiveness of their cybersecurity plan. This guidance document also provides suggestions of specific provisions that plan sponsors should ensure are included in any service provider contract. Such contracts should impose obligations on the service provider to obtain annual third-party cybersecurity audits, identify how quickly the plan sponsor will be notified in the event of any cyber incident or data breach, and require the provider to maintain insurance that covers losses due to cybercrime.

Cybersecurity Program Best Practices

This document reinforces the obligation that plan fiduciaries have to ensure proper mitigation of cybersecurity risks. The document provides a list of 12 best practices that record-keepers and those responsible for plan-related IT systems should include in their cybersecurity plans. The list includes having a formal, well documented cybersecurity program in place; maintaining strong access control procedures; and implementing an effective business resiliency program which addresses business continuity, disaster recovery, and incident response.

Online Security Tips

This document is addressed to plan participants and beneficiaries, with an aim to reduce easily preventable loss by implementing online risk mitigation techniques such as multi-factor authentication. The guidance document warns of the dangers that phishing attacks pose and lists signs that participants can look for when proactively attempting to identify a phishing scam before a data breach occurs.

Next Steps for Plan Sponsors

Although DOL audits have already begun, it is never too late to start implementing better cybersecurity practices. Plan sponsors can prepare for an audit and ensure that their participants’ assets are protected by using the DOL’s guidance to reinforce internal cybersecurity programs and by contacting current service providers to ensure external compliance. Click here for a list of example DOL audit questions.

Plan sponsors may find it useful to review the list and spend time identifying which questions would prove troublesome to answer. This exercise can provide an actionable list of potential cybersecurity weaknesses to be addressed prior to an audit.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bass, Berry & Sims PLC | Attorney Advertising

Written by:

Bass, Berry & Sims PLC
Contact
more
less

Bass, Berry & Sims PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.