Cyber-attacks and data breaches have increased exponentially over the past several years, and have affected every industry, including retirement plans. While a casual observer only sees the most significant examples of cyberattacks in the media, such as the recent Colonial Pipeline attack, the reality is that they occur every day, and are only increasing in complexity and cost.
That’s why the Department of Labor (DOL) recently published a list of cybersecurity best practices for retirement plan sponsors, fiduciaries, record keepers, and participants. The guidance marks the first time that the Department has issued cyber guidance related specifically to retirees and their fiduciaries and seeks to further protect the collective $9.3 trillion in retirement assets that Americans have saved for their golden years. It may also be an early indicator about whether regulations on information security protocol for retirement plans may be coming. Below highlights what plan sponsors and participants should know.
Who Should Take Note
The new DOL guidance specifically targets plan sponsors and fiduciaries that are regulated by the Employee Retirement Income Security Act (ERISA), and any individual or group that participates or receives benefits from such a plan. Any person that keeps records for one of the 34 million private plan participants, or 106 million contribution plan participants subject to ERISA is also included.
What the Guidance Says
The guidance covers three key areas: the hiring of service providers, best practices for cybersecurity programs, and general online security tips that participants and beneficiaries can follow to reduce their risk of falling victim to a cyberattack.
Business owners and sponsors of pension plans or 401k plans often use use third parties to maintain data and records. The guidance [KK1] from the Employee Benefits Security Administration (EBSA) encourages a review of the prospective third-party service provider’s cybersecurity controls prior to signing the dotted line. That includes:
- Comparing cybersecurity policies and procedures to industry standards, cybersecurity frameworks, and peer companies.
- Asking whether and how the third-party validates its cybersecurity controls and what level of security it has implemented.
- Reviewing the provider’s security history, including ongoing cyberattack litigation and whether they have been victims of past breaches.
- Asking to review a current SOC 2 Type 2 report commission by the third-party.
- Inquiring about whether the provider has insurance that would cover cybersecurity losses of the plans and its participants in the event of a breach or attack.
The guidance also covers cybersecurity program best practices that apply to all fiduciaries responsible for overseeing retirement accounts, which the DOL points out is now a fiduciary obligation to actively seek out and mitigate. The EBSA notes that recordkeepers should:
- Have a formal cybersecurity program, information security program, and incident response plan.
- Plan for risks including business continuity, disaster recovery, and incident response.
- Perform annual risk assessments over its IT security environment which is baselined against commonly used frameworks such as NIST 800-53.
- Conduct regular third-party audits of security control environment including applicable service level agreements.
- Clearly define IT and cybersecurity roles within the organization.
- Have strong logical access control procedures for employees and external users of its systems.
- Ensure that assets stored by third parties are also subject to security reviews.
- Offer cybersecurity awareness training.
- Use a secure system development life cycle (SDLC) program.
- Protect sensitive data through encryption.
- Use strong technical controls.
- Respond to cybersecurity incidents timely.
The EBSA elaborates on each point in detail in their best practices document.
Regarding online best practices, the agency outlines digital information strategies that may seem simple for those with prior exposure to IT security, but nevertheless are worth repeating. They include:
- Regularly check and maintain access to online accounts, as it reduces the risk of fraudulent activity.
- Implement password complexity requirements and keep them in a secure password managing platform.
- Use multi-factor authentication.
- Keep personal contact information current.
- Delete unused and/or disable terminated employee accounts promptly.
- Avoid use of free Wi-Fi unless connected to a virtual private network (VPN).
- Know the signs of a phishing attack and avoid them.
- Use antivirus software and keep virus definitions current in real-time.
- Know how to report identity theft and cybersecurity incidents.
How Your Organization Can Stay Secure
Organizations with retirement plans should take the time to review the guidance from the DOL and see how their own retirement plan cybersecurity measures stack up. Regardless of whether an organization followed best practices when a plan was established, being proactive now means going back to service providers and asking questions that align with the guidance, and assessing overall risk based on response. The following action items may help with improving the information security of your benefit plan.
Action Item: Undergo and IT Security Environment Risk Assessment
One highly recommended step organizations with retirement plans may consider would be to undergo a third-party risk assessment focused on the overall IT security environment to review whether online best practices are being followed regarding plan information. Internal and external vulnerability assessments and penetration testing may pinpoint where the organization is most susceptible and provide management with the opportunity to address those vulnerabilities before a cyber incident or event occurs.
Action Item: Cybersecurity Training
Plan participants play a role in cybersecurity. It is never too late to offer security awareness training for participants and employees to educate them on the easy steps they can take to prevent unauthorized access to plan data. Phishing strategies and other attack vectors continue to evolve, so regular training is essential to helping everyone understand the changes in the IT security risk environment.
Action Item: Vendor Risk Assessment
Organizations that use third-party service providers to manage their plan data may consider revisiting their vendor risk policy to evaluate whether a deeper dive or due diligence assessment is needed. Depending on the findings from this analysis, your company may even consider requesting a Systems and Organization Controls (SOC) 2 Type 2 report over the service provider’s applications and/or systems that your organization relies upon.
To learn more about what the DOL’s guidance means for your plan assets, contact a member of our team.
Published on June 08, 2021
© Copyright CBIZ, Inc. and MHM. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ). MHM (Mayer Hoffman McCann P.C.) is an independent CPA firm that provides audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider. CBIZ and MHM are members of Kreston International Limited, a global network of independent accounting firms. This publication is protected by U.S. and international copyright laws and treaties. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.