Retirement plans are a potential target for cyber threats, making it crucial for fiduciaries to take action. To help safeguard participant data and retirement assets, the Department of Labor (DOL) has released guidelines aimed at protecting benefit plans from internal and external cybersecurity risks. Here's what retirement plan fiduciaries, providers and participants need to know to stay ahead of these threats.
Fiduciary Best Practices
The DOL requires retirement plan fiduciaries to ensure their service providers follow strong cybersecurity practices. Fiduciaries should consider the following when selecting and monitoring providers:
- Ask about their cybersecurity practices, procedures, policies and audit results, and compare them to what others in the industry are doing.
- Ask how they evaluate their procedures and what level of security standards they meet.
- Evaluate their cybersecurity track record based on public records.
- Ask about any prior breaches, including what happened and how the provider handled the issue.
- Ask about insurance coverage they may have that would cover any losses due to internal and external breaches.
- Ensure all provider contracts require ongoing compliance with security standards. Beware of contract provisions that limit the service provider’s responsibility for breaches.
Provider Best Practices
According to the DOL, recordkeepers and other service providers responsible for plan-related IT systems and data should have processes in place to protect plan assets. The following guidance is designed to help plan providers mitigate risks and plan fiduciaries make prudent decisions on the service providers they hire.
Service providers should:
- Have a formal, well-documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure any assets or data stored in a cloud or managed by a third-party provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery and incident response.
- Encrypt sensitive data — stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to cybersecurity incidents.
Participant Best Practices
The DOL believes plan participants and their beneficiaries also have a responsibility to help keep their accounts secure. Plan sponsors should communicate the following tips to participants and beneficiaries:
- Register their account and monitor it regularly.
- Use strong and unique passwords.
- Use multi-factor authentication.
- Keep contact information current.
- Close/delete any unused accounts.
- Avoid ‘free’ Wi-Fi.
- Don’t share passwords, account or other sensitive information with anyone.
- Use anti-virus software and keep all apps current.
- Know how to report identity theft and cybersecurity incidents.
With all parties following these best practices, risks of a security breach can be minimized. Connect with a professional to learn more.
Investment advisory services provided through CBIZ Investment Advisory Services, LLC, a registered investment adviser and a wholly owned subsidiary of CBIZ, Inc.