business DOL Issues Cyber Security Guidance for Benefit Plans May 25, 2021 Attention plan sponsors, plan fiduciaries, record-keepers and employee benefit plan participants…the Department of Labor (DOL) has issued new guidance on cybersecurity. Read on. For the first time, the DOL has recently issued cyber security guidance for plan sponsor, plan fiduciaries, record-keepers and plan participants of employee benefit plans. The guidance includes three forms: 1) Tips for Hiring a Service Provider 2) Cyber Security Program Best Practices and 3) Online Security Tips. The Employee Benefit Security Administration (EBSA) estimates there are 140 million participants with estimated $9.3 trillion plan assets that could be at risk to cyber threats and it is the plan fiduciary’s responsibility to ensure there are proper controls in place to mitigate these threats. The forms provide the following guidance: Tips for Hiring a Service Provider For plan sponsors and fiduciaries, guidance on selecting a provider with proper cyber security practices, including, but not limited to what to ensure in your service provider contract: Awareness of provisions that may limit the service provider’s responsibility for security breachesIntentional inclusion of terms that would increase protection for the Plan and participantsInformation Security ReportingTerms on Sharing of Information and ConfidentialityNotification of Cybersecurity BreachesCompliance with Records Retention and Destruction, Privacy and Information Security LawsInsurance Cyber Security Program Best Practices For fiduciaries and record-keepers, guidance on how to manage cybersecurity risks, including, but not limited to: Formal and documented cyber security programAnnual risk assessmentsThird-party audit of security controlsCyber security training and awareness andStrong security reviews and independent security assessments for assets or data stored in the cloud or managed by a third-party provider. Online Security Tips For participants and beneficiaries, guidance on how to reduce risk of fraud for those who access retirement accounts online, including, but not limited: Register, set up and often monitor your online accountUse strong and unique password and change them every 120 daysUse multi-factor authentication (text messages or e-mail)Be Wary of free wi-fi The forms can be found here https://www.dol.gov/newsroom/releases/ebsa/ebsa20210414 If you have questions on what you are responsible for as the Plan administrator and fiduciary, connect with us. We can help with your cybersecurity needs as well, reach out to our Cybersecurity Services Team.
