On April 14, 2021, the U.S. Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) released cybersecurity guidance aimed at protecting workers’ retirement benefits. This guidance was directed at plan sponsors, plan fiduciaries, administrative record-keepers and plan participants. The information below is a brief summary of the overall guidance and the complete guidance can be found here.
Information technology security protocols for the Employee Retirement Income Security Act (ERISA) covered benefit plans and outlined 12 points for cybersecurity risk mitigation, including conducting cybersecurity risk assessments on at least an annual basis, as well as conducting third-party audits of system security controls.
Plan sponsor’s cybersecurity programs should be managed at the executive level, ideally by the Chief Information Security Officer (CISO), and cybersecurity awareness training should be conducted on at least an annual basis. Plan sponsors should utilize a dynamic cybersecurity training protocol that is regularly updated based on risks identified through a plan’s risk self-assessment process.
Plan sponsors and fiduciaries should also utilize a Secure System Development Life Cycle program (SDLC). A properly designed SDLC program ensures that cybersecurity considerations play a central role when new systems are designed.
This guidance was aimed at helping plan sponsors and fiduciaries protect their cybersecurity interests when working with a third party and includes six core points that plan sponsors and fiduciaries should follow in order to meet their responsibilities under ERISA.
Plan sponsors should ensure that service providers have protections addressing access control policies, encryption policies and a notification protocol should a cybersecurity threat impact plan participant data. Additionally, these protections should include ongoing compliance with evolving cybersecurity and information security standards.
Directed at plan participants, this guidance suggests providing a list of best practices to reduce the risk of fraud and cybersecurity threats to retirement accounts such as using multifactor authentication where possible, changing passwords regularly and avoiding free or public Wi-Fi when possible.