The U.S. Department of Labor (DOL) is becoming alarmed by the growing prevalence and sophistication of cybercrime. In response to this mounting threat, the agency recently released a cybersecurity program best practices guide for employers and companies that provide services to their retirement plans.
Benefits of Prompt Compliance
Attorneys specializing in retirement plan matters advise plan sponsors to heed the new DOL guidelines. Failure to do so could make your company vulnerable if litigation erupts following any kind of cyberbreach of its retirement plans — even if most of the plan’s administration is handled by service providers. ERISA plan fiduciaries generally must take reasonable steps to protect plan assets from cyberattacks.
Even without a legal dark cloud hovering above, employers do not want to see their employees’ retirement savings wiped out in a breach. Moreover, management could transfer the knowledge gained from implementing the DOL’s recommended cybersecurity protocols to other potential areas of vulnerability, including the company’s financial systems.
Creating Your Cybersecurity Plan
Compliance with the DOL guidance begins with a comprehensive security plan. “A sound cybersecurity program,” the guidance states, “identifies and assesses internal and external risks that may threaten the confidentiality, integrity, or availability of stored nonpublic information.”
The plan needs to feature policies, procedures, guidelines and standards in the following areas:
• Approval by top management,
• An annual review of the program,
• Education for relevant parties about the program,
• Documentation of the framework(s) used to assess the security of your systems, and
• Periodic audits by an outside expert to ensure that your plan is being followed.
The DOL expects your external security audit to include, among other things, audit reports, files, penetration test reports and supporting documents. Auditors also should document corrections of any cybersecurity weaknesses identified during the audit.
In addition to periodic external audits, the DOL recommends a fresh annual cybersecurity risk assessment. That is because cybercriminals are constantly developing new tactics to break through your defenses.
“Employees are often an organization’s weakest link for cybersecurity,” according to the guidance. So, employers need a comprehensive cybersecurity awareness program that sets expectations for employees and teaches them to “recognize attack vectors, help prevent cyber-related incidents, and respond to a potential threat.”
Controlling Data Access
To manage the threat of employees inadvertently opening the door to cybercriminals, the DOL guidance calls for strong access control procedures. Examples include:
• Customizing who is granted access to systems according to the role of individuals involved, such as general users, plan administrators, third party administrators and IT personnel,
• Using multifactor identification whenever possible, especially to access the internal networks from an external network,
• Reviewing access privileges at least every three months and, when necessary, disabling access according to your access policies,
• Monitoring the activity of authorized users and detecting unauthorized access or inappropriate actions,
• Creating a process to ensure that any sensitive information about a participant or beneficiary in the service provider’s records matches the information that the plan maintains about the participant, and
• Confirming the identity of the authorized recipient of any funds that are dispersed from the plan.
The DOL guidance addresses particular areas of risk associated with data stored on the cloud. The guidance points out: “In the cloud, data is stored with a third-party provider.” So, transparency and control over the data may be limited. Consider the following steps to help maintain scrutiny over cloud storage practices by third-party providers:
• Require a risk assessment of the provider,
• Establish minimum cybersecurity practices for the provider, and
• Ensure that guidelines and contract provisions are as robust as those you hold your retirement plan services providers to.
The DOL guidance also recommends putting together a business “resiliency” plan. It is important to have an incident response plan in place to help IT staff detect, respond to and recover from security incidents.
Post-incident best practices also include recommended actions, such as notifying law enforcement and your insurance carrier, and providing information about the breach to affected participants “to prevent or reduce injury.”
Fortify Your Defenses
Adhering to the DOL guidance can dramatically decrease the risk of a cyberattack on your company’s retirement plan. Plus, if your retirement plan does get hacked and you can prove compliance with the DOL guidance, you will probably have a much easier time dealing with your plan’s service providers and insurance carrier to ensure that any harm to participants is rectified — but not at your expense.
Contact us so we can help you update your company’s existing retirement plan cybersecurity protocols to comply with the rigorous new DOL guidelines.
© Copyright 2021 Thomson Reuters.
Disclaimer of Liability
Our firm provides the information in this article for general guidance only, and does not constitute the provision of legal advice, tax advice, accounting services, investment advice or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisors. Before making any decision or taking any action, you should consult a professional advisor who has been provided with all pertinent facts relevant to your particular situation. Tax articles in this blog are not intended to be used, and cannot be used by any taxpayer, for the purpose of avoiding accuracy-related penalties that may be imposed on the taxpayer. The information is provided “as is,” with no assurance or guarantee of completeness, accuracy or timeliness of the information, and without warranty of any kind, express or implied, including but not limited to warranties of performance, merchantability and fitness for a particular purpose.