As of 2018, the DOL estimates that there are 34 million defined benefit (DB) plan participants in private pension plans and 106 million defined contribution (DC) plan participants with combined assets of $9.3 trillion. Without sufficient protection, these participants and assets may be at risk from internal and external cybersecurity threats. The DOL notes that ERISA requires plan fiduciaries to take appropriate precautions to mitigate these risks.
The DOL guidance was issued in three forms.
- Tips for Hiring a Service Provider: This is designed to help plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires. You should inquire about the vendor’s practices and its track record.
- Cybersecurity Program Best Practices: This assists plan fiduciaries and recordkeepers to manage cybersecurity risks. Best practices include having a formal, well documented cybersecurity program, scheduling annual risk assessments and conducting periodic awareness training.
- Online Security Tips: These offer tips to plan participants who check their retirement accounts online about reducing the risk of fraud and loss. These tips include being wary of free Wi-Fi, and using strong and unique passwords.
According to the DOL, “This much-needed guidance emphasizes the importance that plan sponsors and fiduciaries must place on combatting cybercrime and gives important tips to participants and beneficiaries on remaining vigilant against emerging cyber threats.”
What Should You Do Next?
- Review the DOL Guidance. It’s relatively brief and provides good practical insights.
- Meet with Your Recordkeeper. Schedule a meeting between your Retirement Committee (or other plan fiduciary) and your plan recordkeeper to discuss the cybersecurity safeguards that it has in place. Include your IT professionals in the meeting. What are your recordkeeper’s security standards, practices and policies? Will it share its annual audit reports? How many cybersecurity professionals does it employ and what is its annual cybersecurity budget? What insurance policies does it have in place for cybersecurity losses? Has it experienced security breaches? How proactive is it to stay one step ahead of the cybercriminals?
- Encourage Your Employees to Act Smarter. Encourage them to use best practices when accessing their accounts. Using multi-factor authentication can be at least as important as using strong passwords. Developing a plan to communicate this message to your employees would be a good topic to discuss with your recordkeeper.
- Revisit Your Service Agreement with Your Recordkeeper. Does your service agreement with your recordkeeper require ongoing compliance with cybersecurity and information security standards? Does it limit the vendor’s responsibility if there is a security breach? Be sure it does not.
- Schedule Annual Cybersecurity Updates. Add cybersecurity updates with your recordkeeper as an annual agenda topic for future Committee meetings. With everchanging technology, recordkeepers may be implementing new safeguards each year that are noteworthy.
- Document Whatever Your Do. Document whatever cybersecurity meetings and discussions you have. This may help you in the future to respond to challenges that you have not done enough.