Posted By: Christopher Ciminera, CPA
We’ve now come to the final act of our play and the last blog in our series on retirement plan benefit legislation updates. We’ve covered the Bipartisan Budget Act of 2018, the SECURE Act, the CARES Act, and in the last blog we covered the updates to EPCRS with Revenue Procedure 2021-30. In this final blog, we’ll cover the DOL’s cybersecurity guidance. There wasn’t much on the regulatory front specifically from the DOL, however, one piece of guidance came through as a news release on April 14, 2021 that provided cybersecurity guidance for plan sponsors, fiduciaries, recordkeepers, and plan participants. These days, any cybersecurity guidance is welcome since we are at a heightened risk from breaches and other security issues. The DOL understands fiduciaries of retirement plans must safeguard assets trusted to their oversight. Because of the fiduciary responsibilities and the increased cybersecurity breaches, the DOL provided guidance for fiduciaries and others to help protect these assets. The news release included three specific pieces of guidance: Cybersecurity Best Practices, Tips for Hiring a Service Provider, and Online Security Tips. The newsletter indicated that this guidance was issued to help plan sponsors, fiduciaries, and participants to safeguard retirement benefits and personal information. As I mentioned, plan fiduciaries must work in the best interest of plan participants and protect plan assets. In that vein, plan sponsors must ensure they are following the best cybersecurity processes and procedures. The EBSA has indicated that plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.
Scene 1 – Cybersecurity Program Best Practices
The Best Practice guidance was created for recordkeepers and other service providers and for plan fiduciaries in helping them make prudent decisions on these service providers they are hiring to help administer the plan. In the best practice guidance, the EBSA indicates that service providers should:
- have a formal, well documented cybersecurity program
- conduct prudent annual risk assessments
- have a reliable third-party annual audit of security controls
- clearly define and assign information security roles and responsibilities
- have strong access control procedures
- ensure that assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments
- conduct periodic cybersecurity awareness training
- implement and manage a secure system development life cycle program
- have an effective business resiliency program addressing business continuity, disaster recovery, and incident response
- encrypt sensitive data – stored and in transit
- implement strong technical controls
- appropriately respond to cybersecurity incidents
Scene 2 – Tips for Hiring a Service Provider With Strong Cybersecurity Practices
Another piece of guidance provided covered tips for hiring a service provider with strong cybersecurity practices. The guidance provides tips on what to consider when selecting and monitoring service providers it hires. The EBSA indicates that a plan fiduciary should:
- ask about the service provider’s information security standards, practices and policies, and audit results and compare them to industry standards adopted by other financial institutions.
- ask the service provider how it validates its practices, and what levels of security standards it has met and implemented.
- evaluate the service provider’s track record in the industry by reviewing public information regarding information security incidents, other litigation, and legal proceedings.
- ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
- find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches.
- ensure the contract with the service provider has terms requiring ongoing compliance with cybersecurity and information security standards and to be aware of contract provisions that limit the service provider’s responsibility for IT security breaches.
Scene 3 – Online Security Tips
The last piece of guidance that the DOL provided covered online security tips. The DOL suggests that participants, sponsors, and others:
- register, set up, and routinely monitor online accounts
- use strong and unique passwords
- use multi-factor authentication
- keep personal contact information current
- close or delete unused accounts
- be wary of free Wi-Fi
- beware of phishing attacks
- use antivirus software and keep apps and software current
- know how to report identity theft and cybersecurity incidents
And with the finish of Act 5, we have reached the end of the play. One that started innocently enough with the Bipartisan Budget Act of 2018, moved into the major portion of our story, which was the SECURE Act. It then moved into our suspenseful part with the COVID-19 pandemic and the ability to tap into retirement savings where needed with the CARES Act. We enjoyed some brighter days with the updates to EPCRS with Revenue Procedures 2021-30. And, we ended with the DOL’s guidance on Cybersecurity. We still see much going on in the world, but I’m sure hoping we are starting to move in a positive direction with the pandemic. As with legislation and guidance, I can assure you we’ll see more. The plays that will continue can be The Tempest or maybe a Comedy of Errors. We have proposals including the SECURE Act 2.0 out there. Hopefully, the next play will be A Midsummer Night’s Dream!
Summary of this blog series, for your reference
- Retirement Plan Legislative Update: Act 1 – Bipartisan Budget Act
- Retirement Plan Legislative Update: Act 2 – Scene 1: The SECURE Act
- Retirement Plan Legislative Update: Act 2 – SECURE Act Scenes 2-4
- Retirement Plan Legislative Update: Act 3 – The CARES Act
- Retirement Plan Legislative Update: Act 4 – Update to EPCRS
- Retirement Plan Legislative Update: Act 5 – Cybersecurity
Photo By: Richard Patterson (License)