Are your employer-sponsored retirement accounts exposed to cybersecurity threats? How should you mitigate cybersecurity risks and those of your retirement assets? The official who heads the U.S. Department of Labor (EBSA) Employee Benefits Security Administration addressed these questions at a recent conference, following EBSA’s April 14, 2021 publication of the cybersecurity guidelines for retirement plans. The guide describes what actions sponsors, trustees, service providers, and plan participants should take to protect retirement assets and personal information from cybersecurity threats.
Targeting affects more than employers and other trustees of the plan. If you provide a service to a retirement plan and have access to plan-related data (such as your record, custody, actuary, or plan auditor), you will need to assess whether your cybersecurity programs are appropriate in light of the 12 best cybersecurity practices described by EBSA. These best practices range from encrypting sensitive data and documenting cybersecurity policies and procedures, to conducting annual risk assessments and training. These EBSA best practices are often consistent with cybersecurity guidelines issued by other regulators. At a minimum, you should try to implement best practices recommended by EBSA as part of the organization-wide cybersecurity program.
If you are an employer who sponsors a retirement plan for your employees, you are required by law to carefully select and supervise plan service providers. The EBSA guide provides a list of “tips” for assessing whether a service provider has sound cybersecurity policies and practices. These tips encourage plan sponsors to carry out due diligence on service provider cybersecurity programs, third-party audit reports, and previous security breaches and to negotiate contractual terms (such as insurance coverage and security provisions). non-compliance notice) that improve the plan’s cybersecurity protections. and its participants.