On April 14, the U.S. Department of Labor (DOL) released a three-part package providing long-needed fiduciary guidance on plan cybersecurity. The package includes suggestions for hiring a service provider, cybersecurity program best practices and online security
tips. Plan sponsors should consider incorporating the guidance into their current governance and administration practices.

Service provider cybersecurity oversight practices (plan sponsor focused)

Where plan sponsors engage third-party service providers to maintain plan and participant records, those providers should have the necessary procedures to keep plan data confidential and plan accounts secure. When evaluating a provider, the DOL suggests that plan sponsors:

1. Review the provider’s information security standards, practices and policies, and audit results, and compare them to the industry standards.

2. Consider how the provider validates its practices and what levels of security standards it has met and implemented.

3. Evaluate the provider’s track record regarding information security incidents, other litigation and service-related legal proceedings.

4. Ask whether the provider has experienced past security breaches, what happened, and how the service provider responded.

5. Find out if the provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats).

6. Negotiate favorable terms in the contract such as:

   1. INFORMATION SECURITY REPORTING: Require the provider to annually obtain a third-party audit of information security policy and procedure compliances.

   2. USE AND SHARING OF INFORMATION AND CONFIDENTIALITY: Spell out the provider’s obligation to keep private information private, prevent the use or disclosure of confidential information without written permission, and meet a strong standard of care to protect confidential information against unauthorized access, loss, disclosure, modification, or misuse.

   3. NOTIFICATION OF CYBERSECURITY BREACHES: Identify how quickly you would be notified of any cyber incident or data breach.

   4. COMPLIANCE WITH RECORDS RETENTION AND DESTRUCTION, PRIVACY, AND INFORMATION SECURITY LAWS: Specify the provider’s obligations to meet all applicable federal, state, and local laws, rules, regulations, directives, and other governmental requirements pertaining to the privacy, confidentiality or security of participants’ personal information.

   5. INSURANCE: Require insurance coverage such as professional liability and errors and omissions liability insurance, cyber liability, and privacy breach insurance, and/or fidelity bond/blanket crime coverage.

Cybersecurity program best practices (provider focused)

The DOL suggested the following provider best practices and that plan fiduciaries evaluate adherence to these practices when deciding which service providers to hire.

1. Have a formal, well-documented cybersecurity program.

2. Conduct prudent annual risk assessments.

3. Have a reliable annual third-party audit of security controls.

4. Clearly define and assign information security roles and responsibilities.

5. Have strong access control procedures.

6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.

7. Conduct periodic cybersecurity awareness training.

8. Implement and manage a secure system development life cycle (SDLC) program.

9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.

10. Encrypt sensitive data, stored and in transit.

11. Implement strong technical controls in accordance with best security practices.

12. Appropriately respond to any past cybersecurity incidents.

Online security tips (participant focused)

The DOL suggests that participants can reduce the risk of fraud and loss
to their retirement account by following these steps.

1. Register, set up and routinely monitor your online account.

2. Use strong and unique passwords.

3. Use multifactor authentication.

4. Keep personal contact information current.

5. Close or delete unused accounts.

6. Be wary of free Wi-Fi.

7. Beware of phishing attacks.

8. Use antivirus software and keep apps and software current.

9. Know how to report identity theft and cybersecurity incidents.

Next steps for plan sponsors

Cybercrime has targeted retirement plans for years and is increasingly sophisticated. With America’s workforce going remote due to the pandemic, the threat of cyberattacks is increasing. Plan sponsors and service providers caught without a response have become targets of costly litigation and will eventually be subject to regulatory scrutiny. The DOL has done a nice job of gathering information and recommendations from all sides of the retirement plan industry and putting forth a useful set of guidelines for plan sponsors to consider. All three parts of the DOL’s release are considered nonbinding informal guidance. Similar types of DOL guidance in the past, notably 2012’s Target Date Retirement Funds: Tips for ERISA Plan Fiduciaries, have become standards that many litigation and regulatory enforcement actions measure a plan fiduciary against. We expect this round of guidance to be no different, and plan sponsors should begin formulating a plan.

Lockton has long understood the importance of cyber risk management particularly with respect to your retirement plan. Since 2015, we have helped clients evaluate retirement industry service providers’ cybersecurity practices. Our processes already incorporate many of the DOL’s recommendations and we continue to evolve our approach to incorporate new best practices. Should you have any questions, please contact your Lockton Retirement Services Team.

Download alert (opens a new window)

FOR INSTITUTIONAL USE ONLY

Investment advisory services offered through Lockton Investment Advisors, LLC, a SEC registered investment advisor.

Nothing in this message should be construed as legal advice. Lockton may not be considered your legal counsel and communications with Lockton’s compliance services group are not privileged under the attorney-client privilege.