The Department of Labor's Employee Benefits Security Administration, in issuing its first cybersecurity guidance, made clear a point that was only previously assumed: that under the Employee Retirement Income Security Act, making reasonable efforts to mitigate cyberthreats are part of a retirement plan fiduciary's responsibilities.
And while initial impressions of the guidance were positive, some stakeholders would like to see more, including a formal rule-making process with the opportunity to provide comments.
After months of back and forth with stakeholders and a report from the Government Accountability Office with tailored cybersecurity recommendations, the Labor Department on April 14 unveiled a three-piece guidance package detailing best practices for maintaining cybersecurity for plan sponsors, plan fiduciaries, record keepers and plan participants.
Plan sponsors welcome the guidance — which offers tips as opposed to orders — especially because the Labor Department has been asking plans under audit about their cybersecurity procedures, said Will Hansen, Arlington, Va.-based executive director of the Plan Sponsor Council of America and chief government affairs officer at the American Retirement Association. The guidance provides "more insight into what the Department of Labor thinks are best practices for plan sponsors to engage in analyzing their record keepers and service providers on what are the best cybersecurity practices," Mr. Hansen said.
The first piece of guidance included tips for plan sponsors and fiduciaries on how to select a service provider with strong cybersecurity practices and how to monitor their activities. The tips include asking whether the service provider has experienced past security breaches, what happened and how the service provider responded, and making sure any contract with a service provider requires ongoing compliance with cybersecurity and information security standards.
The second piece of guidance was a list of 12 cybersecurity program best practices for plan sponsors and record keepers, such as having a reliable annual third-party audit of security controls and ensuring that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
The final piece was a set of online security tips for participants and beneficiaries when accessing a retirement account.