On April 14, 2021, the United States Department of Labor’s (DOL) Employee Benefits Security Administration published three cybersecurity guidance releases. Cybersecurity Program Best Practices and Tips for Hiring a Service Provider with Strong Cybersecurity Practices contain guidance for plan sponsors, fiduciaries, and recordkeepers. Online Security Tips contains information for retirement investors.
Cybersecurity Program Best Practices – This publication was released to help recordkeepers, other service providers responsible for plan-related IT systems and data, and plan fiduciaries ensure proper mitigation of cybersecurity risks. According to the DOL’s guidance, a plan’s service provider should meet the following 12 criteria, all of which are explained in detail within the publication.
- Have a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents
Tips for Hiring a Service Provider with Strong Cybersecurity Practices – This publication was released to help business owners and fiduciaries vet third-party service providers to ensure their participant data is kept confidential, plan accounts are securely maintained, and they are meeting their responsibilities under the Employee Retirement Income Security Act (ERISA). The document includes inquiries plan sponsors should make of potential service providers, as well as what should and should not be included in your contract with a service provider.
Online Security Tips – This publication contains basic rules for retirement investors to follow to reduce the risk of fraud and loss to their retirement accounts and how to report identity theft and cybersecurity incidents. Topics include best practices for monitoring accounts, setting up passwords and multi-factor authentication, updating contact information, closing unused accounts, using and updating anti-virus software and apps, using protected Wi-Fi networks, and avoiding phishing scams.
by Benjamin Lord, CPA, CCIFP
Ben Lord is a Tax Director and has been with ARB since 2013. He specializes in audit and consulting services for employee benefit plans. Ben manages employee benefit plan audits in an efficient, cost-effective way by customizing services to meet a plan’s specific needs. He also specializes in consulting and financial accounting services for construction, real estate development, manufacturing, and professional services firms.