DOL Issues Guidance on Retirement Plan Cybersecurity Best Practices

May 05, 2021

Authors: Lisa Vandesteeg, Lauren Wiley, Kristy Britsch

The Department of Labor (the “DOL”) released guidance on April 14, 2021 regarding cybersecurity and data privacy best practices for retirement plan providers and participants. Nearly $10 trillion are held in retirement plans, making them a rich target for hackers and bad actors. Retirement plan administration often requires multiple parties to disclose and protect sensitive or personally identifiable information (“PII”), which means that plan sponsors and providers should establish security standards if they have not already.

Participants trust their providers and sponsors to store their PII, and as a result, all parties have a role to play in protecting against a breach of that personal information. The DOL’s guidance provides best practices and tips for all three groups to help them learn how to avoid a breach of retirement plans.

Specifically, the DOL issued guidance covering:

  1. Cybersecurity program best practices for plan service providers,
  2. Tips for plan sponsors to hire service providers with strong cybersecurity practices, and
  3. Online security tips directed at plan participants to safeguard their accounts.

For providers, the DOL advises creating a formal documented cybersecurity program to protect the information systems and information itself from unauthorized access. There should be clearly defined security roles and responsibilities and strong access control procedures. Sensitive information and data should be encrypted when stored or in transit, and that there are strong technical controls in place overall. Service providers should undertake risk assessments and third-party audits of security controls. And service providers should work only with well-vetted third parties, which are also themselves subject to appropriate security reviews or assessments.

When hiring such plan service providers, the DOL advises plan sponsors to perform a reasonable amount of due diligence on whether the provider follows strong cybersecurity practices. A plan sponsor should look for providers who have standards, practices, polices, and audit results, as well as an articulated plan for how it validates these practices. Sponsors are obligated to protect the data of its participants, and such, sponsors should prioritize partnering with providers who have well-documented track records, especially if they have experienced a security breach in the past. And sponsors should ensure that contracts with providers specifically require ongoing compliance with information security standards and procedures, such as information security audits, restriction on use or sharing of information, notification of security incidents or breaches, compliance with applicable privacy and data security laws or regulations, and maintenance of ongoing cyber liability insurance coverage.

Finally, the DOL encourages plan participants to be smart about their online security, providing basic tips to frequently monitor their accounts, use unique passwords and multi-factor identification, avoid free wi-fi, beware of phishing attacks, and update contact information when necessary. The DOL also encourages participants to know when and how to report identity theft and cybersecurity incidents.

While these practices are especially relevant within the retirement plan industry, they are generally applicable across all businesses and industries. A well-rounded information security program to protect confidential or personally identifiable information is a best practice for all businesses (and a legal requirement for some). For questions on how to integrate cybersecurity protection into your business plan, please contact Lisa Vandesteeg, Lauren Wiley, or Kristy Britsch.

See what else we are up to.