On April 14, 2021 the U.S. Department of Labor (DOL) released new guidance for plan sponsors, plan fiduciaries, recordkeepers and plan participants on best practices for maintaining cybersecurity, including tips on how to protect the retirement benefits of America’s workers. This is the first time the DOL’s Employee Benefits Security Administration (EBSA) has issued cybersecurity guidance. This guidance is directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act (ERISA), and plan participants and beneficiaries and it is intended to complement existing regulations on electronic records and disclosures.
Since ERISA’s enactment, retirement plan administration has evolved. The reliance on IT systems and the internet along with the outsourcing of administration to third party service providers can create risks that potentially compromise participant personally identifiable information (PII) and plan asset data. The growth of retirement plan assets further highlights what is at risk. As of 2018, EBSA estimates that there are 34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion.
The guidance issued by the DOL follows a report released earlier this year by the U.S. Government Accountability Office (GAO) urging the DOL to formally state whether cybersecurity is a plan fiduciary responsibility and to issue guidance that identifies minimum expectations for decreasing cybersecurity risks.
The DOL Guidance:
The DOL has focused on the retirement plan industry’s cybersecurity programs, but this new guidance is the first attempt by the DOL to assess the adequacy of these programs.
The guidance comes in three forms:
- Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires. Contains six “tips”/areas plan sponsors should direct their questions to their service providers.
- Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks. Contains twelve best practices for service providers to follow.
- Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss. Contains nine basic rules for participants and beneficiaries to follow to reduce the risk of fraud and loss.
This guidance is a step towards helping plan sponsors, fiduciaries, and participants safeguard retirement benefits and personal information. It emphasizes the importance that plan sponsors and fiduciaries must place on combatting cybercrime and gives important tips to participants and beneficiaries on remaining vigilant against emerging cyber threats.
- Heightened fiduciary responsibility as it relates to cybersecurity of ERISA plans and the duty to mitigate cybersecurity risk.
- Effective immediately, PEI has incorporated questions focused on the DOL “tips” in our RFP questionnaire.
- PEI will be requesting that all record keepers provide their responses to the questions provided by the DOL. We will share the responses with our clients as soon as they have been compiled.
- We would encourage that you have the individuals experienced in such matters within your organization review the responses. Furthermore, as a part of a prudent due diligence process, we would also encourage that a meeting with the appropriate members of your record keeper’s cybersecurity team take place to provide for a more comprehensive review of their practices.
- Lastly, we would also encourage that you distribute the Online Security Tips to plan participants.