Skip to main content
MENU
Subscribe
  • Subscribe
  • Account
  • LOGIN
  • Topics
    • Alternatives
    • Consultants
    • Coronavirus
    • Courts
    • Defined Contribution
    • ESG
    • ETFs
    • Hedge Funds
    • Industry Voices
    • Investing
    • Money Management
    • Opinion
    • Partner Content
    • Pension Funds
    • Private Equity
    • Real Estate
    • Russia-Ukraine War
    • SECURE Act 2.0
    • Special Reports
    • White Papers
  • Rankings & Awards
    • 1,000 Largest Retirement Plans
    • Top-Performing Managers
    • Largest Money Managers
    • DC Money Managers
    • DC Record Keepers
    • Largest Hedge Fund Managers
    • World's Largest Retirement Funds
    • Best Places to Work in Money Management
    • Excellence & Innovation Awards
    • Eddy Awards
  • ETFs
    • Latest ETF News
    • Fund Screener
    • Education Center
    • Equities
    • Fixed Income
    • Commodities
    • Actively Managed
    • Alternatives
    • ESG Rated
  • ESG
    • Latest ESG News
    • The Institutional Investor’s Guide to ESG Investing
    • Climate Change: The Inescapable Opportunity
    • Impact Investing
    • 2022 ESG Investing Conference
    • ESG Rated ETFs
  • Defined Contribution
    • Latest DC News
    • DC Money Manager Rankings
    • DC Record Keeper Rankings
    • Innovations in DC
    • Trends in DC: Focus on Retirement Income
    • 2022 Defined Contribution East Conference
    • 2022 DC Investment Lineup Conference
  • Searches & Hires
    • Latest Searches & Hires News
    • Searches & Hires Database
    • RFPs
  • Performance Data
    • P&I Research Center
    • Earnings Tracker
    • Endowment Returns Tracker
    • Corporate Pension Contribution Tracker
    • Pension Fund Returns Tracker
    • Pension Risk Transfer Database
    • Future of Investments Research Series
    • Charts & Infographics
    • Polls
  • Careers
  • Events
    • View All Conferences
    • View All Webinars
    • 2022 Innovation Investing Conference
    • 2022 Defined Contribution East Conference
    • 2022 ESG Investing Conference
    • 2022 DC Investment Lineup Conference
    • 2022 Alternatives Investing Conference
Breadcrumb
  1. Home
  2. CYBERSECURITY
May 03, 2021 12:00 AM

DOL guidance welcomed but some want it to go further

Brian Croce
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Will Hansen
    Photo: Jennifer Bishop
    Will Hansen said plan sponsors like that the DOL offered tips rather than orders.

    The Department of Labor's Employee Benefits Security Administration, in issuing its first cybersecurity guidance, made clear a point that was only previously assumed: that under the Employee Retirement Income Security Act, making reasonable efforts to mitigate cyberthreats are part of a retirement plan fiduciary's responsibilities.

    And while initial impressions of the guidance were positive, some stakeholders would like to see more, including a formal rule-making process with the opportunity to provide comments.

    After months of back and forth with stakeholders and a report from the Government Accountability Office with tailored cybersecurity recommendations, the Labor Department on April 14 unveiled a three-piece guidance package detailing best practices for maintaining cybersecurity for plan sponsors, plan fiduciaries, record keepers and plan participants.

    Plan sponsors welcome the guidance — which offers tips as opposed to orders — especially because the Labor Department has been asking plans under audit about their cybersecurity procedures, said Will Hansen, Arlington, Va.-based executive director of the Plan Sponsor Council of America and chief government affairs officer at the American Retirement Association. The guidance provides "more insight into what the Department of Labor thinks are best practices for plan sponsors to engage in analyzing their record keepers and service providers on what are the best cybersecurity practices," Mr. Hansen said.

    The first piece of guidance included tips for plan sponsors and fiduciaries on how to select a service provider with strong cybersecurity practices and how to monitor their activities. The tips include asking whether the service provider has experienced past security breaches, what happened and how the service provider responded, and making sure any contract with a service provider requires ongoing compliance with cybersecurity and information security standards.

    The second piece of guidance was a list of 12 cybersecurity program best practices for plan sponsors and record keepers, such as having a reliable annual third-party audit of security controls and ensuring that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.

    The final piece was a set of online security tips for participants and beneficiaries when accessing a retirement account.

    ‘Much-needed' guidance

    Without sufficient protections, retirement plan participants and assets may be at risk from both internal and external cybersecurity threats, the Labor Department said in a news release. "This much-needed guidance emphasizes the importance that plan sponsors and fiduciaries must place on combating cybercrime and gives important tips to participants and beneficiaries on remaining vigilant against emerging cyber threats," said Ali Khawar, acting assistant secretary for EBSA, in the news release.

    Most record keepers should be comfortable with the Labor Department's guidance because it aligns closely with the SPARK Institute's standards, said Tim Rouse, Simsbury, Conn.-based executive director at SPARK, which represents retirement industry players such as record keepers, investment advisers, mutual fund companies and benefit consulting firms.

    SPARK formed the Data Security Oversight Board, composed of industry stakeholders, that published a set of cybersecurity best practice standards in 2017.

    Both the Labor Department guidance and the SPARK standards are built on two key principals to better assist the plan sponsor in fulfilling its cybersecurity fiduciary duty, Mr. Rouse said: the consumer should be provided standard cybersecurity information that can be used to compare service providers and basic cybersecurity information should be provided by trusted independent third-party auditors to ensure the integrity of all the data.

    One thing Mr. Rouse would like the Labor Department to make clear to plan sponsors, though, is that the sharing of a penetration test — done to find vulnerabilities in a defense system — is unacceptable since it could contain a road map for bad actors. Instead, plan sponsors should be able to ask for and receive information on penetration tests, including how often they're performed and by whom, and what the remediation policy is for fixing identified issues.

    Also, plan sponsors should be clear what they mean by "breach" when contracting with service providers, Mr. Rouse said. Because of bots and automatic web requests, every system in the world is constantly experiencing some level of breach, he added.

    "Most never arise to a level of severity that becomes meaningful to a consumer," Mr. Rouse said. "Properly identifying the right level of severity acceptable to each plan sponsor is critical for this process to work effectively."

    Already commonplace

    The best practices outlined in the Labor Department's guidance are commonplace among record keepers, said Doug Peterson, Greenwood Village, Colo.-based chief information security officer for Empower Retirement and chairman of SPARK's Data Security Oversight Board. "There are certain table stakes when you've got people's identities, you've got their retirement dollars, you absolutely have an obligation to protect that," he said.

    Elizabeth S. Goldberg and Matthew H. Hawes, Pittsburgh-based partners with law firm Morgan, Lewis & Bockius LLP, were pleased the Labor Department issued guidance on this subject before initiating cybersecurity-targeted audits, but took issue with the retirement industry not getting an opportunity to comment before the guidance was released.

    Although guidance can be helpful in gaining insight into how the Department of Labor views a particular issue, a formal rule-making process — where comment periods are required — are "afforded greater weight" from a legal perspective, Mr. Hawes said.

    "I certainly would expect that depending on how this is received and what happens as a result of this guidance over the next couple of months, couple of years, that the Department of Labor may wade more formally into this area and memorialize some of this in formal regulations," Mr. Hawes added.

    Mr. Peterson would like to see a formal regulation. "Hopefully that's in the future at some point," he said.

    But with the guidance now on the books, "We are expecting as a next step by the DOL for there to be some investigations in this area," Ms. Goldberg said.

    Mr. Hansen is happy the guidance came before investigations. "Plan sponsors have been audited for years by the Department of Labor on missing participants with zero guidance, so I think the fact that they are being proactive on cybersecurity is a great first step," he said. The Labor Department in January issued a list of best practices for locating missing participants following years of investigations.

    Related Article
    DOL issues cybersecurity best-practice guidance
    Evolving threats

    At the beginning of the COVID-19 pandemic, with tens of millions of Americans suddenly working from home, cybersecurity experts feared bad actors would have more opportunities to infiltrate individual retirement accounts.

    But, Ben Taylor, Los Angeles-based senior vice president and head of tax-exempt DC research at Callan LLC, said that didn't end up happening. "I think a lot of the bad actors' attention have turned elsewhere with the same information because it's been a lot easier to get it from unemployment claims or pandemic stimulus than it has been to get it from a retirement plan," he said.

    Still though, cyberthreats have evolved in recent years. "The attacks certainly are far more sophisticated than they were just five years ago," Mr. Peterson said. "We're seeing an increase in advanced persistent threats."

    Mr. Rouse has noticed a similar evolution: "No longer is it just one individual who's just sitting there trying to get into your system; now what's been done is it's automated to the point where it's literally millions of bots attacking firewalls all over the world," he said. "It's a constant battle. You can never take a rest because the bad guys are never taking a rest."

    Never taking a rest means ramping up cyberdefenses, which has become a common practice for record keepers. "The persistent actors have gotten consistently more sophisticated in their ability to go after just about any target, but at the same time the defense has grown more sophisticated at probably a more rapid rate," Mr. Taylor said.

    Related Articles
    Cybersecurity lapses tick up among investment advisers — report
    Cybersecurity a looming concern for retirement plans – Cerulli
    Recommended for You
    ONLINE_190219935_AR_0_LOVNYGAFDXAZ.jpg
    Missouri Public Schools experiences email breach
    San Francisco data breach could affect 74,000 participants
    San Francisco data breach could affect 74,000 participants
    Cybersecurity a looming concern for retirement plans – Cerulli
    Cybersecurity a looming concern for retirement plans – Cerulli
    Alternatives: Investing Across the Spectrum
    Sponsored Content: Alternatives: Investing Across the Spectrum

    Reader Poll

    May 9, 2022
    SEE MORE POLLS >
    Sponsored
    White Papers
    Are Factors a Thing of the Past?
    Q2 2022 Credit Outlook: Carry On
    Leverage does not equal risk
    Is there a mid-cap gap in your DC plan?
    Out of the Shadows: The Revolution in Shadow Accounting
    The pivotal role of fixed income markets in the ESG revolution
    View More
    Sponsored Content
    Partner Content
    The Industrialization of ESG Investment
    For institutional investors, ETFs can make meeting liquidity needs easier
    Gold: the most effective commodity investment
    2021 Investment Outlook | Investing Beyond the Pandemic: A Reset for Portfolios
    Ten ways retirement plan professionals add value to plan sponsors
    Gold: an efficient hedge
    View More
    E-MAIL NEWSLETTERS

    Sign up and get the best of News delivered straight to your email inbox, free of charge. Choose your news – we will deliver.

    Subscribe Today
    May 9, 2022 page one

    Get access to the news, research and analysis of events affecting the retirement and institutional money management businesses from a worldwide network of reporters and editors.

    Subscribe
    Connect With Us
    • RSS
    • Twitter
    • Facebook
    • LinkedIn

    Our Mission

    To consistently deliver news, research and analysis to the executives who manage the flow of funds in the institutional investment market.

    About Us

    Main Office
    685 Third Avenue
    Tenth Floor
    New York, NY 10017-4036

    Chicago Office
    130 E. Randolph St.
    Suite 3200
    Chicago, IL 60601

    Contact Us

    Careers at Crain

    About Pensions & Investments

     

    Advertising
    • Media Kit
    • P&I Content Solutions
    • P&I Careers | Post a Job
    • Reprints & Permissions
    Resources
    • Subscribe
    • Newsletters
    • FAQ
    • P&I Research Center
    • Site map
    • Staff Directory
    Legal
    • Privacy Policy
    • Terms and Conditions
    • Privacy Request
    Pensions & Investments
    Copyright © 1996-2022. Crain Communications, Inc. All Rights Reserved.
    • Topics
      • Alternatives
      • Consultants
      • Coronavirus
      • Courts
      • Defined Contribution
      • ESG
      • ETFs
      • Hedge Funds
      • Industry Voices
      • Investing
      • Money Management
      • Opinion
      • Partner Content
      • Pension Funds
      • Private Equity
      • Real Estate
      • Russia-Ukraine War
      • SECURE Act 2.0
      • Special Reports
      • White Papers
    • Rankings & Awards
      • 1,000 Largest Retirement Plans
      • Top-Performing Managers
      • Largest Money Managers
      • DC Money Managers
      • DC Record Keepers
      • Largest Hedge Fund Managers
      • World's Largest Retirement Funds
      • Best Places to Work in Money Management
      • Excellence & Innovation Awards
      • Eddy Awards
    • ETFs
      • Latest ETF News
      • Fund Screener
      • Education Center
      • Equities
      • Fixed Income
      • Commodities
      • Actively Managed
      • Alternatives
      • ESG Rated
    • ESG
      • Latest ESG News
      • The Institutional Investor’s Guide to ESG Investing
      • Climate Change: The Inescapable Opportunity
      • Impact Investing
      • 2022 ESG Investing Conference
      • ESG Rated ETFs
    • Defined Contribution
      • Latest DC News
      • DC Money Manager Rankings
      • DC Record Keeper Rankings
      • Innovations in DC
      • Trends in DC: Focus on Retirement Income
      • 2022 Defined Contribution East Conference
      • 2022 DC Investment Lineup Conference
    • Searches & Hires
      • Latest Searches & Hires News
      • Searches & Hires Database
      • RFPs
    • Performance Data
      • P&I Research Center
      • Earnings Tracker
      • Endowment Returns Tracker
      • Corporate Pension Contribution Tracker
      • Pension Fund Returns Tracker
      • Pension Risk Transfer Database
      • Future of Investments Research Series
      • Charts & Infographics
      • Polls
    • Careers
    • Events
      • View All Conferences
      • View All Webinars
      • 2022 Innovation Investing Conference
      • 2022 Defined Contribution East Conference
      • 2022 ESG Investing Conference
      • 2022 DC Investment Lineup Conference
      • 2022 Alternatives Investing Conference