Many of the same cybersecurity best practices implemented across business operations can be scaled to include retirement plans. The Department of Labor guidance should serve as a framework to follow in this regard.
With the DOL making it clear that cybersecurity is part of the plan sponsor’s fiduciary obligations under ERISA, it means that in selecting, monitoring, and replacing service providers to the plan, cybersecurity needs to be part of that process. Particular attention should be paid toward existing service providers that hold or have access to sensitive data, and agreements should be reviewed and modified as needed to ensure the five key areas outlined in the DOL guidance are incorporated:
- Requirement for an annual third-party audit to determine compliance with information security policies and procedures
- Clear identification of the service provider’s obligation to keep private information private, prevent disclosure of confidential information, and meet a strong standard of care to protect confidential information
- Provisions related to record retention, privacy, and information security
- Provisions related to notification and cooperation for cybersecurity breaches
- Potentially a requirement related to insurance coverage for cybersecurity breaches
Request for Proposal efforts should also add questions incorporating the recent guidance.
Whether you’re examining existing relationships or evaluating new ones, asking the right questions is only part of the process a fiduciary should consider. The other key component is understanding the responses being provided. Remember that as a fiduciary, the standard to which your actions are held is essentially that of a prudent specialist who is familiar with such matters. Said a different way, if you do not have the knowledge to evaluate the responses provided, seek assistance from an IT security specialist.
As mentioned previously, recent plan audits have requested copies of cybersecurity policies, which makes fiduciary compliance and risk mitigation a bit more broad in scope. If you do not have IT security resources in your company, engage a reputable IT security consultant. This provider can help you evaluate and create a more secure environment, helping you:
- Create a formal, documented cybersecurity program for your retirement plan.Â
- Do annual risk assessments to stay ahead of the ever-changing IT risk environment.Â
- Conduct an annual third-party security controls audit.Â
- Define and assign clear roles and responsibilities for information security.Â
- Create robust procedures for access control.Â
- Ensure that any data or assets managed by third-party service providers or stored in the cloud can receive adequate security reviews.Â
- Train employees and plan participants on cybersecurity awareness at least once a year.Â
- Organizations with in-house application development efforts should implement a secure system development life cycle (SDLC) program.Â
- Implement a business resiliency program that includes business continuity, disaster recovery, and incident response.Â
- Encrypt sensitive data while stored or in transit to protect the confidentiality of your plan’s data.Â
- Develop strong technical controls, such as system hardening, vendor-supported firewalls, network segregation, and routine patch management.Â
- Respond appropriately to cybersecurity incidents.Â