United States: Cybersecurity Best Practices For Retirement Plans: How To Prepare For The Coming Department Of Labor Cybersecurity Audits

Are your employer-sponsored retirement accounts exposed to cybersecurity threats?  How should you and those who are entrusted with your retirement assets mitigate cybersecurity risks?  The official who leads the Employee Benefit Security Administration of the U.S. Department of Labor (EBSA) addressed these questions at a recent conference, following EBSA's April 14, 2021 release of cybersecurity guidance for retirement plans.  The guidance outlines what actions plan sponsors, fiduciaries, service providers and participants should take to safeguard retirement assets and personal information against cybersecurity threats.

The guidance impacts more than employers and other plan fiduciaries.  If you provide any services to a retirement plan and have access to plan-related data (such as in your capacity as the plan's record keeper, custodian, actuary or auditor), you need to evaluate whether your cybersecurity programs are adequate in light of the 12  cybersecurity best practices outlined by EBSA.  These best practices range from encrypting sensitive data and documenting cybersecurity policies and procedures, to conducting annual risk assessments and training.  These EBSA best practices are generally consistent with cybersecurity guidelines issued by other regulators.  At a minimum, you should try to implement the best practices recommended by EBSA as part of your organization-wide cybersecurity program.

If you are an employer sponsoring a retirement plan for your employees, you have an obligation under law to prudently select and monitor service providers to the plan.  The EBSA guidance provides a list of “ tips” for evaluating whether a service provider has robust cybersecurity policies and practices.  These tips encourage plan sponsors to conduct due diligence on the service provider's cybersecurity programs, third-party audit reports and past security breaches, and to negotiate contractual terms (such as insurance coverage and notice of breach provisions) that will enhance cybersecurity protections for the plan and its participants.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.