The U.S. Department of Labor (DOL) is becoming alarmed by the growing prevalence and sophistication of cybercrime. In response to this mounting threat, the agency recently released a cybersecurity program best practices guide for employers and companies that provide services to their retirement plans.
Attorneys specializing in retirement plan matters advise plan sponsors to heed the new DOL guidelines. Failure to do so could make your company vulnerable if litigation erupts following any kind of cyberbreach of its retirement plans — even if most of the plan's administration is handled by service providers. ERISA plan fiduciaries generally must take reasonable steps to protect plan assets from cyberattacks.
Even without a legal dark cloud hovering above, employers don't want to see their employees' retirement savings wiped out in a breach. Moreover, management could transfer the knowledge gained from implementing the DOL's recommended cybersecurity protocols to other potential areas of vulnerability, including the company's financial systems.
Compliance with the DOL guidance begins with a comprehensive security plan. "A sound cybersecurity program," the guidance states, "identifies and assesses internal and external risks that may threaten the confidentiality, integrity, or availability of stored nonpublic information."
The plan needs to feature policies, procedures, guidelines and standards in the following areas:
The DOL expects your external security audit to include, among other things, audit reports, files, penetration test reports and supporting documents. Auditors also should document corrections of any cybersecurity weaknesses identified during the audit.
In addition to periodic external audits, the DOL recommends a fresh annual cybersecurity risk assessment. That's because cybercriminals are constantly developing new tactics to break through your defenses.
"Employees are often an organization's weakest link for cybersecurity," according to the guidance. So, employers need a comprehensive cybersecurity awareness program that sets expectations for employees and teaches them to "recognize attack vectors, help prevent cyber-related incidents, and respond to a potential threat."
To manage the threat of employees inadvertently opening the door to cybercriminals, the DOL guidance calls for strong access control procedures. Examples include:
The DOL guidance addresses particular areas of risk associated with data stored on the cloud. The guidance points out: "In the cloud, data is stored with a third-party provider." So, transparency and control over the data may be limited. Consider the following steps to help maintain scrutiny over cloud storage practices by third-party providers:
The DOL guidance also recommends putting together a business "resiliency" plan. It's important to have an incident response plan in place to help IT staff detect, respond to and recover from security incidents.
Post-incident best practices also include recommended actions, such as notifying law enforcement and your insurance carrier, and providing information about the breach to affected participants "to prevent or reduce injury."
Adhering to the DOL guidance can dramatically decrease the risk of a cyberattack on your company's retirement plan. Plus, if your retirement plan does get hacked and you can prove compliance with the DOL guidance, you'll probably have a much easier time dealing with your plan's service providers and insurance carrier to ensure that any harm to participants is rectified — but not at your expense.
For more information, contact your legal and financial advisors. These professionals can help you update your company's existing retirement plan cybersecurity protocols to comply with the rigorous new DOL guidelines.
Get in touch today and find out how we can help you meet your objectives.