With cyberattacks happening more and more frequently it is imperative to take steps to ensure the safety of personal information online. Each of us should be aware of our own online activity, but cybersecurity is also a growing concern with the administration of employer-sponsored retirement plans. Sensitive participant information is often shared online between plan providers such as recordkeepers, payroll companies, and third-party administrators. Employees are also visiting websites for more plan information to get statements, view their balances and use online planning tools that commonly ask for additional personal information.
Earlier this year, the Government Accountability Office released a study entitled “Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other Retirement Plans” which noted that in 2018, 106 million people had balances in employer-sponsored retirement plans worth approximately $6.3 trillion, and that number only continues to grow. The study also highlighted the cybersecurity risks faced by plan sponsors and participants.
In response, the Department of Labor (DOL) provided guidance for plan sponsors and stated for the first time that it is a fiduciary’s responsibility to mitigate cybersecurity risks faced by the plan. This had not been explicitly stated previously. The DOL issued guidance in three parts:
- Cybersecurity Best Practices
- Tips for Hiring Service Providers
- Online Security Tips for Plan Participants
The best practices are framed as applying to providers such as recordkeepers and third-party administrators, but they can be used by plan sponsors as a guide when evaluating provider’s cybersecurity policies as well as their own internal policies. Some of the best practices include:
- Maintain a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Implement a reliable annual third-party audit of security controls.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
Selecting providers has been an important responsibility for plan fiduciaries, and cybersecurity policies need to be part of the decision process. To help plan sponsors with this obligation, the DOL guidance points out key issues to consider:
- Ask about the service provider’s information security standards, practices and policies, and audit result.
- Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented.
- Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
- Investigate whether the service provider has insurance to cover cybersecurity losses.
- Consider the willingness of the service provider to include contract terms requiring ongoing compliance with cybersecurity.
Online security tips for participants provide common sense steps to help keep sensitive information private which include:
- Establish and routinely monitor online accounts.
- Use strong and unique passwords.
- Use two-factor authentication (for example, entering a code sent by text or email).
- Keep personal contact information current
- Beware of public/free wifi.
- Use antivirus software and update devices and apps regularly.
Cybersecurity should be a topic covered in employee education meetings to help plan participants safeguard their account and personal information. Many of the concepts outlined in the DOL guidance draw upon generally recognized cybersecurity best practices and will be familiar to those that have already implemented policies to protect their organization and are similar to policies required for other employee benefits such as health insurance.