The Department of Labor on Wednesday released a set guidance detailing best practices for maintaining cybersecurity for plan sponsors, plan fiduciaries, record keepers and plan participants.
The guidance has three distinct pieces, the first of which includes tips for plan sponsors and fiduciaries on how to select a service provider with strong cybersecurity practices and how to monitor their activities. The tips include asking whether the service provider has experienced past security breaches, what happened and how the service provider responded, and making sure any contract with a service provider requires ongoing compliance with cybersecurity and information security standards.
The second piece of guidance is a list of 12 cybersecurity program best practices for plan sponsors and record keepers, such as having a reliable annual third-party audit of security controls, and ensuring that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
The final piece is a set of online security tips for participants and beneficiaries when accessing a retirement account.
The Labor Department's Employee Benefits Security Administration estimates that as of 2018 there were 34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion. Without sufficient protections, those participants and assets may be at risk from both internal and external cybersecurity threats, the Labor Department said in a news release, adding that ERISA requires plan fiduciaries to take appropriate precautions to mitigate these risks.
"The cybersecurity guidance we issued today is an important step towards helping plan sponsors, fiduciaries and participants to safeguard retirement benefits and personal information," said Ali Khawar, acting assistant secretary for EBSA. "This much-needed guidance emphasizes the importance that plan sponsors and fiduciaries must place on combatting cybercrime and gives important tips to participants and beneficiaries on remaining vigilant against emerging cyber threats."
Wednesday's guidance marks the first time the EBSA has issued cybersecurity guidance.