DOL Issues Cyber Security Guidance for Benefit PlansMay 25, 2021
Attention plan sponsors, plan fiduciaries, record-keepers and employee benefit plan participants…the Department of Labor (DOL) has issued new guidance on cybersecurity. Read on.
For the first time, the DOL has recently issued cyber security guidance for plan sponsor, plan fiduciaries, record-keepers and plan participants of employee benefit plans. The guidance includes three forms: 1) Tips for Hiring a Service Provider 2) Cyber Security Program Best Practices and 3) Online Security Tips.
The Employee Benefit Security Administration (EBSA) estimates there are 140 million participants with estimated $9.3 trillion plan assets that could be at risk to cyber threats and it is the plan fiduciary’s responsibility to ensure there are proper controls in place to mitigate these threats.
The forms provide the following guidance:
Tips for Hiring a Service Provider
For plan sponsors and fiduciaries, guidance on selecting a provider with proper cyber security practices, including, but not limited to what to ensure in your service provider contract:
- Awareness of provisions that may limit the service provider’s responsibility for security breaches
- Intentional inclusion of terms that would increase protection for the Plan and participants
- Information Security Reporting
- Terms on Sharing of Information and Confidentiality
- Notification of Cybersecurity Breaches
- Compliance with Records Retention and Destruction, Privacy and Information Security Laws
Cyber Security Program Best Practices
For fiduciaries and record-keepers, guidance on how to manage cybersecurity risks, including, but not limited to:
- Formal and documented cyber security program
- Annual risk assessments
- Third-party audit of security controls
- Cyber security training and awareness and
- Strong security reviews and independent security assessments for assets or data stored in the cloud or managed by a third-party provider.
Online Security Tips
For participants and beneficiaries, guidance on how to reduce risk of fraud for those who access retirement accounts online, including, but not limited:
- Register, set up and often monitor your online account
- Use strong and unique password and change them every 120 days
- Use multi-factor authentication (text messages or e-mail)
- Be Wary of free wi-fi
The forms can be found here https://www.dol.gov/newsroom/releases/ebsa/ebsa20210414
If you have questions on what you are responsible for as the Plan administrator and fiduciary, connect with us.
We can help with your cybersecurity needs as well, reach out to our Cybersecurity Services Team.