Employee Benefits Security Administration Cybersecurity Guidance

As we approach ERISA season, it is more important now than ever to remember that even our retirement benefits are at risk for cybersecurity attacks. 

For the first time in history, the Employee Benefits Security Administration (EBSA) has issued cybersecurity guidance for ERISA-covered retirement programs, which outlines best practices for record-keepers, plan sponsors and fiduciaries, participants and beneficiaries.  The guidance came in three forms: (i) cybersecurity program best practices for record-keepers and other service providers, (ii) tips for plan sponsors on selecting a service provider, and (iii) general online security tips. 

While ERISA has always required plan fiduciaries to take appropriate precautions to mitigate internal and external cybersecurity threats, such precautions were undefined and ambiguous prior to this guidance. Now that this guidance has been released, it is important for plan sponsors and fiduciaries to incorporate it into existing plan oversight processes. Any action taken should be documented in plan-related records in order to demonstrate conformity with the guidance, e.g., service provider due diligence, enhancements to internal controls, etc.  

See below for some tips that the guidance suggests plan sponsors, fiduciaries and participants take in order to stay ahead of cybersecurity crime:

1. Hire a service provider with strong cybersecurity practices and monitor their activities

1. Understand their security standards
2. Ask the service provider if they have had previous security breaches and how they responded to the situation
3. Make sure the contract requires ongoing compliance that includes cybersecurity and information security standards
4. For a comprehensive list, please visit the following link: Tips For Hiring a Service Provider With Strong Cybersecurity Practices (dol.gov)

2. Stay at the forefront of cybersecurity risks by following these best practices

1. Develop a well-documented, formal cybersecurity program
2. Have an independent auditor assess your organization’s cybersecurity controls to identify existing risks, vulnerabilities and weaknesses
3. Clearly define and assign information security roles and responsibilities
4. For the full list of best practices, please visit the following link: Cybersecurity Program Best Practices (dol.gov)

3. For plan participants who access their retirement accounts online, here are some basic tips to mitigate the risk of fraud and loss

1. Routinely monitor your account for unusual activity
2. Keep personal contact information current with your employer and retirement service providers
3. Use multi-factor authentication
4. Be aware of phishing attacks and try to stay clear of “free Wi-Fi”
5. For additional tips, please visit the following link: Online Security Tips (dol.gov)

If you have any questions related to the information above or cybersecurity in general, please contact our office to speak to an expert in our Retirement Solutions Group or Risk Advisory Group.