The Department of Labor’s (DOL) release of cybersecurity best practices for plans covered by the Employee Retirement Income Security Act (ERISA) makes it clear that plan sponsors, service providers, and participants share responsibility for protecting plan accounts. The guidance, which includes tips for hiring service providers, cybersecurity program best practices, and online security tips, provides a best practices roadmap for organizations to follow. This document outlines DOL’s guidance into action items for plan sponsors. Certainly, the adoption and implementation of ERISA cybersecurity policies and procedures will be an organizations strongest defense against fiduciary litigation and DOL investigations.
Due Diligence & Contracting a Service Provider
When selecting and using third-party providers, you should conduct due diligence to identify service providers with strong established cybersecurity practices and overall minimal vendor risk management Red Flags and Risk Scores. The DOL recommends that plan sponsors inquire about a service provider’s cybersecurity standards, policies, and practices, which also should include regular audits by an outside auditor.
For example, you could ask: “What are the service provider’s levels of security, and do they have insurance to cover potential losses resulting from a cyberattack?” You should research public information, such as past and ongoing litigation, security incidents, and other legal proceedings, to get an understanding of the service provider’s history and risk profile. Make certain the service provider appropriately addresses your concerns.
Cyber Security Highlight Requirements:
- Require a risk assessment by an independent auditor such as a SOC2
- Address minimum cybersecurity practices, such as: multifactor authentication, encryption policies and procedures, regular vulnerability assessments and annual penetration tests,
- Notification protocol for a cybersecurity event, which directly impacts customer information system(s) or nonpublic information.
Cybersecurity Program Best Practices
As a plan fiduciary, you have an obligation to mitigate cybersecurity risks. As mentioned above, when hiring a service provider, you should make certain the provider has adopted a strong cybersecurity program. A strong program identifies and assesses internal and external cybersecurity risks that aim to breach the confidentiality, integrity, or availability of stored nonpublic information.
Components of an effective policy include:
- Oversight by the chief information security officer
- Periodic cybersecurity policy updates
- Annual cybersecurity awareness training
- Written documentation of the particular framework(s) used to assess the security of systems and practices
- Sensible annual risk assessment
- Procedures to control access to IT systems and data, and
- Annual third-party audits
Service providers are expected to act upon the results of the third-party audits and proactively document the steps taken to correct the reported risks, vulnerabilities, and weaknesses.
Online Security Tips
Retirement plan participants and beneficiaries share accountability for maintaining the security of their retirement account information. Plan participants and beneficiaries who check their retirement accounts online should be educated on how they can reduce the risk of fraud and loss. In its guidance, the DOL provides the following tips:
- Register, set up, and routinely monitor your online account
- Use strong and unique passwords
- Use multifactor authentication
- Keep personal contact information current
- Beware of phishing attacks
- Close or delete unused accounts
- Be wary of free Wi-Fi
- Use antivirus software and keep apps and software current
- Know how to report identity theft and cybersecurity incidents
Plan sponsors, service providers, and participants rely on the DOL’s guidance to establish a minimum threshold for cybersecurity compliance. Plan sponsors should establish consistent guidelines for vetting third-party providers and, as with any fiduciary decision, should carefully document the decision-making process.
Additionally, Plan sponsors should not limit compliance with these cybersecurity practices to ERISA-covered retirement plans; as a best practice, all ERISA-covered plans for which the plan sponsor has a fiduciary duty should fall under the policy’s umbrella. It is anticipated that Plan sponsor’s cybersecurity policy will become as integral to qualified retirement plans as are investment policy statements.
Modevity’s Investigative Due Diligence research analysis and reporting services utilize extensive global databases of public records and private data sources with cutting-edge AI platform technology and varied open-source tools.
We offer professional, discreet, and effective, outsourced Investigative Due Diligence reporting services that allow your team to make smart decisions and to alleviate financial, operational, and reputational risk to your organization.
#DOL #SEC #FinCEN #Compliance #Riskmanagement #Finra #VendorRiskManagement #DueDiligence #Fiduciary #ThirdPartyRisk #Sanctions #GRC #TPRM #DueDiligence #Modevity #RIA #PlanSponsor