DOL Cybersecurity Guidance: What Employers and Plan Sponsors Need To Know

Cybersecurity risks to plan participants and their retirement assets are mounting. According to a March 2021 report by the Government Accountability Office, 401(k) investors are at risk for “enormous losses” of sensitive information if the Department of Labor (DOL) doesn’t do more to protect sensitive data.

In response, the DOL’s Employee Benefits Security Administration (EBSA) has issued guidance for retirement plan sponsors and fiduciaries, service providers, and plan participants aimed at mitigating cybersecurity risks.

Tips for hiring a service provider

The EBSA advises plan sponsors and fiduciaries to choose service providers with strong cybersecurity practices. The DOL considers the management of cybersecurity risk, including scrutinizing service providers’ cybersecurity policies and practices, to be part of a fiduciary’s duties.

  • Ask about the service provider’s information security standards, practices and policies, and audit results. Compare them to the industry standards adopted by other financial institutions.
  • Look for service providers that follow a recognized standard for information security and use a third-party auditor to review and validate cybersecurity. You can have much more confidence in a service provider if the security of its systems and practices is backed by annual audit reports that verify information security, system and data availability, processing integrity, and data confidentiality.
  • Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
  • Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to vendor services.
  • Ask whether the service provider has experienced past security breaches, and if so, what happened and how they responded.
  • Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity or identity theft breaches. Consider both:
    • Breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors
    • Breaches caused by external threats, such as a third-party hijacking a plan participants’ account
  • When you contract with a service provider, make sure that the contract requires ongoing compliance with cybersecurity and information security standards. Be aware of any contract provisions that limit the service provider’s responsibility for information technology (IT) security breaches. Also include terms in the contract to enhance cybersecurity protection for the plan and its participants, such as:
    • Information security reporting
    • Clear provisions on the use and sharing of information and confidentiality
    • Notification of cybersecurity breaches
    • Compliance with record retention and destruction, privacy, and information security laws
    • Insurance

Cybersecurity program best practices

Plans covered by the Employee Retirement Income Security Act (ERISA) often hold millions of dollars or more in assets and maintain personal data on participants, which can be targets for cybercriminals. The EBSA states that plan fiduciaries have an obligation to ensure cybersecurity risks are properly mitigated.

According to the EBSA, plans’ service providers should:

Have a formal, well-documented cybersecurity program

A sound cybersecurity program identifies and assesses internal and external cybersecurity risks that may threaten the confidentiality, integrity or availability of stored nonpublic information. Under the program, the organization fully implements well-documented information security policies, procedures guidelines, and standards to protect the IT infrastructure and data stored on the system.

Conduct prudent annual risk assessments

Risk assessments can identify, estimate and prioritize information system risks. As IT threats are constantly changing, it is important to design a manageable and effective risk assessment schedule.

Have an annual third-party audit of security controls

Hallmarks of a reliable third-party audit include:

  • Audit reports, audit files, penetration test reports, and supporting documents
  • Audit reports prepared and conducted in accordance with appropriate standards
  • Documented corrections of any weaknesses identified in the analyses

Clearly define and assign information security roles and responsibilities

For a cybersecurity program to be effective, it must be managed at the senior executive level and executed by qualified personnel.

Have strong access control procedures

Access control is a method of guaranteeing that users are who they say they are and have the appropriate access to IT systems and data.

Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments

Organizations must understand the security posture of the cloud service provider in order to make sound decisions about using the service.

Conduct periodic cybersecurity awareness training

A comprehensive cybersecurity security awareness program sets clear cybersecurity expectations for all employees and educates everyone to recognize attack vectors, help prevent cyber incidents and respond to potential threats.

Implement and manage a secure system development life cycle program

A secure system development life cycle program ensures that security assurance activities such as penetration testing, code review and architecture analysis are an integral part of the system development effort.

Have an effective business resiliency program

The program should address business continuity, disaster recovery, and incident response.

Encrypt sensitive data

Data encryption can protect nonpublic information. A system should implement current standards for encryption keys, message authentication and hashing to protect the confidentiality and integrity of the data, whether at rest or in transit.

Implement strong technical controls in accordance with security best practices

Best practices for technical security include:

  • Up-to-date hardware, software, and firmware
  • Vendor-supported firewalls
  • Current and regularly updated antivirus software
  • Routine patch management
  • Network segregation
  • System hardening
  • Routine data backup

Appropriately respond to any past cybersecurity incidents

Appropriate responses to cybersecurity breaches or incidents include:

  • Informing law enforcement
  • Notifying the appropriate insurer
  • Investigating the incident
  • Giving affected plans and participants the information necessary to prevent or reduce injury
  • Honoring any contractual or legal obligations with respect to the breach
  • Fixing the problems that caused the breach to prevent a recurrence