The Department of Labor (DOL) has just issued first-time retirement plan guidance to address cybersecurity risks for employers, plan fiduciaries, recordkeepers and plan participants. The guidance is in the form of recommended best practices to protect retirement benefits by providing strong cybersecurity practices for employers and plan service providers and online security tips for participants.
The concern is that with millions of dollars accumulating in retirement and 401(k) plans, without sufficient protections, participant data and plan assets may be at risk of cybersecurity threats. The guidance confirms the DOL’s view that cybersecurity is a fiduciary obligation and that plan fiduciaries should take reasonable and appropriate steps to protect their retirement plans and related participant data from cybersecurity breaches.
The guidance comes in three parts: (1) cybersecurity program best practices, (2) tips for hiring service providers with strong cybersecurity practices, and (3) online security tips for participants to protect their plan accounts.
Cybersecurity Program Best Practices. This is intended to help plan fiduciaries and recordkeepers manage cybersecurity risks. The guidance provides the following recommendations:
Tips for Hiring Service Providers with Strong Cybersecurity Practices. These recommendations help employers and plan fiduciaries satisfy their ERISA fiduciary duty to prudently select and monitor service providers with respect to cybersecurity.
Online Security Tips for Plan Participants. Employers should educate participants on the importance of online security and consider including these tips in participant communications and plan educational meetings.
https://www.fbi.gov/file-repository/cyber-incident-reporting-united-message-final.pdf/view
https://www.cisa.gov/reporting-cyber-incidents
This guidance clearly establishes that the DOL considers cybersecurity a fiduciary responsibility. Therefore, employers and plan fiduciaries should strongly consider these recommendations for their retirement plans, participants and plan service providers. They should review current practices and provider contracts and consider adopting a cybersecurity policy that includes the applicable best practice suggestions.
Please contact Vandeventer Black LLP if you have any questions or would like additional information.