DOL Steerage for Retirement Plan Cybersecurity

Earlier this 12 months, the DOL’s Worker Advantages Safety Administration issued cybersecurity steering for retirement plan sponsors, fiduciaries, recordkeepers, and individuals. It lays out the obligations of “accountable plan fiduciaries” to mitigate cybersecurity dangers to retirement plan belongings and participant knowledge. Relating to greatest practices, the DOL steering for retirement plan cybersecurity recommends a three-pronged method:

1. Suggestions for hiring a retirement plan service supplier

2. Retirement plan cybersecurity greatest practices

3. On-line safety suggestions for plan fiduciaries and individuals

The DOL’s 3-Pronged Cybersecurity Plan

Given at this time’s heightened cybersecurity dangers, adopting a security-first mindset is crucial for advisors within the retirement plan area. By educating your purchasers in regards to the DOL’s cybersecurity expectations, you’ll construct relationships with retirement plan sponsors and improve the worth you present them.

How are you going to assist defend the belongings and participant knowledge of your retirement plan purchasers? Let’s overview the specifics of the DOL steering for retirement plan cybersecurity.

1) Suggestions for hiring a retirement plan service supplier. Many (if not most) plan sponsors depend on third-party service suppliers for help with plan administration and recordkeeping. You’ll be able to assist purchasers make the fitting determination for his or her plans by guaranteeing that they deal with the next greatest practices when vetting third-party distributors:

• Ask in regards to the service supplier’s data safety requirements, practices, insurance policies, and audit outcomes. Your plan sponsor purchasers ought to evaluate this knowledge with trade requirements.

• Find out how the service supplier validates its practices and which ranges of safety requirements it has met and carried out. Right here, the main focus must be on contract provisions that give the consumer the fitting to overview audit outcomes, demonstrating compliance with the usual.

• Consider the service supplier’s trade monitor report. Crimson flags would possibly embody data safety incidents, litigation, or authorized proceedings associated to the seller’s providers.

• Focus on whether or not the service supplier has skilled previous safety breaches. In that case, what occurred? How did the service supplier reply?

• Discover out whether or not the service supplier has any insurance coverage insurance policies. Would such insurance policies cowl losses brought on by cybersecurity and identification theft breaches?

• Make sure that the service supplier contract requires ongoing compliance with cybersecurity and knowledge safety requirements. Some contract provisions could restrict the service supplier’s accountability for data safety breaches, whereas different phrases improve cybersecurity safety for the plan and its individuals, together with:

  • Data safety reporting

  • Provisions on the use and sharing of data and confidentiality

  • Notification of cybersecurity breaches

  • Compliance with information retention and destruction, privateness, and knowledge safety legal guidelines

  • Insurance coverage

2) Retirement plan cybersecurity greatest practices. Creating a coverage primarily based on greatest practices will allow plan fiduciaries to behave prudently and mitigate cybersecurity danger. Make sure to educate your plan sponsor purchasers on the next pillars of a superb coverage:

• Create a proper, well-documented cybersecurity program to determine and assess inner and exterior cybersecurity dangers that threaten the confidentiality, integrity, or availability of saved, nonpublic data. This system ought to:

  • Pinpoint dangers

  • Present needed safety

  • Establish cybersecurity occasions and reply to them

  • Work to revive operations and providers

• Set up robust safety insurance policies, pointers, and requirements.

• Conduct annual danger assessments, in addition to periodic cybersecurity consciousness coaching.

• Carry out an annual third-party audit of safety controls.

• Outline and assign data safety roles and tasks.

• Develop robust knowledge entry management procedures.

• Make sure that any belongings or knowledge saved in a cloud or managed by a third-party service supplier are topic to applicable safety critiques and unbiased safety assessments.

• Implement and handle a safe programs improvement life cycle (SDLC) program (i.e., a proper approach of guaranteeing that ample safety controls are carried out).

• Have an efficient enterprise resiliency program that addresses enterprise continuity, catastrophe restoration, and incident response.

• Make sure that delicate knowledge is encrypted whereas saved and in transit.

• Implement robust technical safety options and safety greatest practices (e.g., often replace antivirus software program and again up knowledge).

• Appropriately reply to previous cybersecurity incidents.

3) On-line safety suggestions for plan fiduciaries and individuals. Though the next suggestions is perhaps acquainted, maintaining them prime of thoughts will assist your purchasers and their plan individuals scale back the chance of fraud and loss to their retirement accounts:

• Register, arrange, and routinely monitor any on-line retirement account.

• Create robust and distinctive passwords.

• Use multifactor authentication.

• Hold private contact data present.

• Shut or delete unused accounts.

• Be cautious of free Wi-Fi.

• Be within the know concerning indicators of phishing assaults.

• Use antivirus software program and maintain apps and software program present.

Cybersecurity Consciousness Mindset

In accordance with the DOL steering for retirement plan cybersecurity, the insurance policies described above are designed to assist defend an estimated $9.3 trillion in plan belongings. This huge sum highlights the cyberthreats confronted by your plan sponsor purchasers and their plan individuals. Should you’re an advisor who helps or acts as a plan fiduciary, you’ve gotten an obligation to do your half in educating your purchasers concerning cybersecurity. It’s additionally a superb enterprise apply—and a very good option to construct relationships with retirement plan sponsors.

For extra data on cybersecurity, learn our current publish on the significance of cyber legal responsibility insurance coverage. We additionally suggest visiting the Cybersecurity Consciousness Month web site.