DOL Steering for Retirement Plan Cybersecurity

Table of Contents

Earlier this year, the DOL’s Employee Benefits Security Administration issued cybersecurity guidance for retirement plan sponsors, fiduciaries, recordkeepers, and members. It lays out the obligations of “accountable plan fiduciaries” to mitigate cybersecurity dangers to retirement plan belongings and participant knowledge. Concerning greatest practices, the DOL steering for retirement plan cybersecurity recommends a three-pronged strategy:

  1. Ideas for hiring a retirement plan service supplier

  2. Retirement plan cybersecurity greatest practices

  3. On-line safety suggestions for plan fiduciaries and members

The DOL’s 3-Pronged Cybersecurity Plan

Given right now’s heightened cybersecurity dangers, adopting a security-first mindset is crucial for advisors within the retirement plan house. By educating your shoppers concerning the DOL’s cybersecurity expectations, you’ll construct relationships with retirement plan sponsors and enhance the worth you present them.

How are you going to assist defend the belongings and participant knowledge of your retirement plan shoppers? Let’s assessment the specifics of the DOL steering for retirement plan cybersecurity.

1) Tips for hiring a retirement plan service provider. Many (if not most) plan sponsors depend on third-party service suppliers for help with plan administration and recordkeeping. You possibly can assist shoppers make the correct determination for his or her plans by guaranteeing that they concentrate on the next greatest practices when vetting third-party distributors:

  • Ask concerning the service supplier’s info safety requirements, practices, insurance policies, and audit outcomes. Your plan sponsor shoppers ought to examine this knowledge with trade requirements.

  • Find out how the service supplier validates its practices and which ranges of safety requirements it has met and carried out. Right here, the main target must be on contract provisions that give the consumer the correct to assessment audit outcomes, demonstrating compliance with the usual.

  • Consider the service supplier’s trade monitor report. Purple flags would possibly embody info safety incidents, litigation, or authorized proceedings associated to the seller’s providers.

  • Talk about whether or not the service supplier has skilled previous safety breaches. If that’s the case, what occurred? How did the service supplier reply?

  • Discover out whether or not the service supplier has any insurance coverage insurance policies. Would such insurance policies cowl losses attributable to cybersecurity and identification theft breaches?

  • Be sure that the service supplier contract requires ongoing compliance with cybersecurity and knowledge safety requirements. Some contract provisions might restrict the service supplier’s accountability for info safety breaches, whereas different phrases improve cybersecurity safety for the plan and its members, together with:

    • Info safety reporting

    • Provisions on the use and sharing of data and confidentiality

    • Notification of cybersecurity breaches

    • Compliance with information retention and destruction, privateness, and knowledge safety legal guidelines

    • Insurance coverage

2) Retirement plan cybersecurity best practicesGrowing a coverage based mostly on greatest practices will allow plan fiduciaries to behave prudently and mitigate cybersecurity danger. Be sure you educate your plan sponsor shoppers on the next pillars of an excellent coverage:

  • Create a proper, well-documented cybersecurity program to establish and assess inside and exterior cybersecurity dangers that threaten the confidentiality, integrity, or availability of saved, nonpublic info. This system ought to:

    • Pinpoint dangers

    • Present mandatory safety

    • Establish cybersecurity occasions and reply to them

    • Work to revive operations and providers

  • Set up sturdy safety insurance policies, tips, and requirements.

  • Conduct annual danger assessments, in addition to periodic cybersecurity consciousness coaching.

  • Carry out an annual third-party audit of safety controls.

  • Outline and assign info safety roles and duties.

  • Develop sturdy knowledge entry management procedures.

  • Be sure that any belongings or knowledge saved in a cloud or managed by a third-party service supplier are topic to acceptable safety opinions and unbiased safety assessments.

  • Implement and handle a safe programs improvement life cycle (SDLC) program (i.e., a proper means of guaranteeing that satisfactory safety controls are carried out).

  • Have an efficient enterprise resiliency program that addresses enterprise continuity, catastrophe restoration, and incident response.

  • Be sure that delicate knowledge is encrypted whereas saved and in transit.

  • Implement sturdy technical safety options and safety greatest practices (e.g., often replace antivirus software program and again up knowledge).

  • Appropriately reply to previous cybersecurity incidents.

3) Online security tips for plan fiduciaries and participants. Though the next suggestions may be acquainted, holding them prime of thoughts will assist your shoppers and their plan members scale back the danger of fraud and loss to their retirement accounts:

  • Register, arrange, and routinely monitor any on-line retirement account.

  • Create sturdy and distinctive passwords.

  • Use multifactor authentication.

  • Hold private contact info present.

  • Shut or delete unused accounts.

  • Be cautious of free Wi-Fi.

  • Be within the know relating to indicators of phishing assaults.

  • Use antivirus software program and preserve apps and software program present.

Cybersecurity Consciousness Mindset

In keeping with the DOL guidance for retirement plan cybersecurity, the insurance policies described above are designed to assist defend an estimated $9.3 trillion in plan belongings. This huge sum highlights the cyberthreats confronted by your plan sponsor shoppers and their plan members. Should you’re an advisor who helps or acts as a plan fiduciary, you might have an obligation to do your half in educating your shoppers relating to cybersecurity. It’s additionally an excellent enterprise apply—and a very good solution to construct relationships with retirement plan sponsors.

For extra info on cybersecurity, read our recent post on the significance of cyber legal responsibility insurance coverage. We additionally advocate visiting the Cybersecurity Awareness Month web site.

Source link

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp

Leave a Reply

Your email address will not be published.