DOL Provides Guidance on Cybersecurity Best Practices

On April 14, 2021, the DOL’s Employee Benefits Security Administration provided guidance to plan sponsors, fiduciaries, record keepers and plan participants on cybersecurity best practices. This was done in an effort to protect American workers’ retirement benefits. This novel guidance was provided through three documents: 1) Tips for Hiring a Service Provider; 2) Cybersecurity Program Best Practices; and 3) Online Security Tips.

Tips for Hiring a Service Provider. This document assists plan sponsors and fiduciaries in selecting a service provider with strong cybersecurity practices. ERISA requires plan fiduciaries to monitor service providers to ensure that they are maintaining plan records and keeping participant data confidential and plan accounts secure. The DOL suggests several tips that plan sponsors can follow in ascertaining a service provider’s cybersecurity practices.

Cybersecurity Program Best Practices. This document provides a list of best practices for use by recordkeepers and other service providers responsible for plan-related IT systems and data. Plans’ service providers should:

• Have a formal, well documented cybersecurity program
• Conduct prudent annual risk assessments
• Have a reliable annual third-party audit of security controls
• Clearly define and assign information security roles and responsibilities
• Have strong access control procedures
• Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments
• Conduct periodic cybersecurity awareness training
• Implement and manage a secure system development life cycle program
• Have an effective business resiliency program addressing business continuity, disaster recovery and incident response
• Encrypt sensitive data, stored and in transit
• Implement strong technical controls in accordance with best security practices
• Appropriately respond to any past cybersecurity incidents

Online Security Tips. This document is geared towards plan participants and beneficiaries and provides tips on reducing the risk of fraud and loss when accessing their retirement accounts online. The document encourages individuals to:

• Register, set up and routinely monitor their online account
• Use strong and unique passwords
• Keep personal contact information current
• Close or delete unused accounts
• Be wary of free Wi-Fi
• Beware of phishing attacks
• Use antivirus software and keep apps and software current
• Know how to report identity theft and cybersecurity incident

Employers should familiarize themselves with the DOL’s suggestions pertaining to cybersecurity. The guidance indicates that the DOL considers this an element of plan sponsors’ fiduciary duties, so employers should work to minimize the risk of cybersecurity breaches.

News Release »
Tips for Hiring a Service Provider »
Cybersecurity Program Best Practices »
Online Security Tips »