Plan sponsors and record keepers can expect to soon see guidance from the Department of Labor concerning cybersecurity best practices.
"We are pretty far along in drafting a guidance package and it's subject to a review process, and I can't really predict today just when you'll see it but I do expect we're going to give additional guidance," said Tim Hauser, deputy assistant secretary for national office operations at Labor Department's Employee Benefits Security Administration, during a virtual cybersecurity event hosted Wednesday by the SPARK Institute.
Mr. Hauser said the guidance will focus mainly on the cybersecurity questions plan sponsors should consider when hiring a third-party service provider and also what those service providers, like record keepers, should be doing when it comes to cybersecurity.
"When a plan fiduciary is hiring somebody who is going to be responsible, for example, for confidential, personal information, or who's going to be running systems that keep track of people's account balances and the like, there's a responsibility to make sure that you've hired that person prudently, that firm prudently, and that you've thought about it," Mr. Hauser said.
For plan sponsors, the cybersecurity "questions you're likely to get from our investigators if they knock on your door" include what sort of practices and policies does the service provider you've hired have in place to ensure their systems are secure and do they have regular third-party audits?
The Labor Department expects a bit more from the record keepers or service providers overseeing plan assets, Mr. Hauser explained. Investigators want to see that record keepers have regular risk assessments (at least annually) and independent audits of their cybersecurity practices detailing an assessment of the system's risks and vulnerabilities.
During a panel discussion at Pensions & Investments' DCW Virtual Series on Thursday, Joan Neri, counsel at the law firm Faegre Drinker Biddle & Reath, offered similar advice, advising service providers to keep track of all cybersecurity incidents that occur, even if "they get corrected quickly."
"We don't expect perfection, you are not going to be able to construct the perfectly safe, never vulnerable system," Mr. Hauser said during the SPARK event. "We do expect, though, folks to adhere to current standards of care and to be responsive when problems emerge and are identified. This is an area where being proactive and thoughtful can prevent a lot of mischief and being attentive when you're hiring folks can help."
Margarida Correia contributed to this report.