U.S. Department of Labor Offers Cybersecurity Guidance for Retirement Plan Administration
On April 14, the U.S. Department of Labor (DOL) issued a news release with guidance on cybersecurity for retirement plan administration. The release by the department’s Employee Benefits Security Administration (EBSA) is aimed at plan sponsors, fiduciaries, record-keepers and participants of plans regulated by the Employee Retirement Income Security Act (ERISA), the federal law that sets the minimum standards for retirement and health plans in private industry.
Per the DOL, 34 million defined benefit plan participants and 106 million defined contribution plan participants are in danger from internal and external cybersecurity threats. Assets of $9.3 trillion are at risk.
The release includes three separate sets of guidelines.
- Cybersecurity program best practices
Retirement plan administration should include a focus on cybersecurity. Develop, monitor, and enforce a documented cybersecurity program with policies, procedures, guidelines, and standards to identify and protect against risk. Have that program vetted by senior leadership, staffed by professionals, explained to users in annual training, and audited for compliance by a third party. - Tips for hiring a service provider
Third-party service providers that you use to administer your retirement plans should be secure from a cybersecurity and data security standpoint. Ensure that they comply with standards, are audited, and allow for contractual oversight. - Online security tips
Retirement plan participants and beneficiaries should reduce their risk of fraud and loss. Implement security best practices, including using multi-factor authentication (MFA), strong passwords, identity theft protection, and online monitoring.
Note: For a more detailed look, refer to our DOL Cybersecurity Guidance for Retirement Plan Administration Checklist.
ACA guidance
Retirement plan administration is often viewed as residing solely in the domain of human resources. This siloed approach may not consider the need for involvement of cybersecurity planning and expertise.
The Department of Labor guidance serves to highlight this need. With over $9 trillion and the future retirement comfort of more than a hundred million plan participants at risk, implementation of this guidance is strongly recommended.
Further, the DOL is indicating their recognition of cybersecurity and resiliency as key business risks. This does away with the somewhat common impression that cybersecurity is not a relevant consideration under ERISA. Along with other regulatory bodies, the DOL is asking plan sponsors, investment advisers, record-keepers and more to implement robust programming. Firms with ERISA clients should be aware of this guidance and ensure they are adhering to the recommendations contained therein.
Recommended next steps:
- Recognize the DOL guidance as an indication of the need to adopt cybersecurity and privacy best practices with regards to retirement plan administration.
- Note the DOL emphasis on prudent annual risk assessments and on reliable annual third-party audits of security controls. These are not universal for all clients, and, per DOL guidance, should be.
- At this point, based on staffing realities, DOL investigators are more likely to use a checklist to review adherence, and not to engage in a technical review. The DOL currently does not have cyber experts. This may change in the future. For the present, it is imperative for firms to “check those boxes.”
- For additional guidance specifics, refer to our DOL Cybersecurity Guidance for Retirement Plan Administration Checklist.
- If needed, look to ACA Aponix or other trusted third-party advisors to ensure that this or similar retirement plan administration cybersecurity guidance is in place in your organization.
How we help
ACA Aponix offers the following solutions that can help your firm protect itself in relation to this and similar cybersecurity warnings, and to enhance its cybersecurity in general:
- Risk assessments and regulatory compliance testing services
- Threat Intelligence, phishing testing, and monitoring
- Operational resilience and governance
Download our Aponix Protect™ cybersecurity solution brochure.
If you have any questions, please contact your ACA Aponix consultant or contact us below.