In April 2021, the Department of Labor (DOL) issued cybersecurity guidance for plan sponsors, recordkeepers, and participants to help protect Americans’ retirement plan assets from cybercrime. This guidance fills a regulatory gap following several high-profile cases of theft from participant retirement plan accounts.
The DOL issued a 12-part checklist for service providers to include in their cybersecurity program. Items include conducting annual risk assessments, third-party audits, data encryption, and ongoing monitoring & training.
The DOL issued Tips for Hiring a Service Provider with Strong Cybersecurity Practices. It includes an overview of what plan sponsors should include in their contracts with service providers and questions to include in a request for proposal from a service provider. This serves as a roadmap for ongoing monitoring of any service provider that has retirement plan data.
The DOL issued a short overview of Online Security Tips including reminders for participants such as the importance of registering their online account, password protection protocols, and general safety tips related to free Wi-Fi and phishing attacks.
In issuing these materials, the DOL provided a clear roadmap for plan sponsors and service providers while emphasizing that under ERISA Section 404, plan fiduciaries are responsible for ensuring proper mitigation of cybersecurity risks as a part of their fiduciary responsibilities.
The plan sponsor guidance is the framework for a prudent process - a review of all relevant information (or that which the plan sponsor should know to be relevant), objective analysis of the information, and a decision that is documented. Cybersecurity should be a part of the process of selecting, monitoring, and replacing service providers for the plan sponsor to meet their fiduciary obligations under ERISA.
Action items for plans sponsors include:
If you have any questions about how cybersecurity may impact your current service provider search, contract, or monitoring, please reach out to your Pensionmark advisor or info@pensionmark.com.