New DOL guidance on cybersecurity

McAfee & Taft
Contact

McAfee & Taft

Today, the U.S. Department of Labor announced new guidance for plan sponsors, plan fiduciaries, recordkeepers and plan participants on best practices for maintaining cybersecurity, including tips on how to protect retirement benefits. This is the first time the department’s Employee Benefits Security Administration (EBSA) has issued cybersecurity guidance.

Below is what they released today with web links – and some quick-read bullet points for you below:

  1. Tips for Hiring a Service Provider with Strong Cybersecurity Practices
    • Plan sponsors should use service providers that follow strong cybersecurity practices.
    • Look for service providers that follow a recognized standard for information security and use an outside (third-party) auditor to review and validate cybersecurity.
    • Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
    • Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as a third party hijacking a plan participants’ account).
    • When you contract with a service provider, make sure that the contract requires ongoing compliance with cybersecurity and information security standards – and beware of contract provisions that limit the service provider’s responsibility for IT security breaches. You should check to make sure you know what requirements your recordkeeper puts on plan participants in order for the participant’s account to be made whole by the recordkeeper if there is a theft (e.g., do they require two-factor authentication in order for the recordkeeper’s “guarantee” to apply?).
    • They identified a list of contractual provisions that your contract with service providers should contain.
    • I would go over this at your next plan committee meeting with your recordkeeper and any other service providers – and document the review in your minutes.
  2. Cybersecurity Program Best Practices
    • ERISA-covered plans often hold millions of dollars or more in assets and maintain personal data on participants, which can make them tempting targets for cyber-criminals. Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.
    • States that plan service providers should “conduct prudent annual risk assessments” and “[h]ave a reliable annual third party audit of security controls.”
    • Outlines what makes a prudent, well-documented cybersecurity program.
    • Again, ask your recordkeeper to provide a summary of how their program meets these standards – so your plan committee can be aware of that and document it for their minutes.
  3. Online Security Tips for Retirement Plan Participants
    • I would consider having your recordkeeper send a tip sheet to plan participants ASAP
  4. DOL Press Release

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McAfee & Taft | Attorney Advertising

Written by:

McAfee & Taft
Contact
more
less

McAfee & Taft on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.