On April 14, 2021, the U.S. Department of Labor’s (DOL) Employee Benefits Security Administration issued first-ever guidance for plan sponsors, plan fiduciaries, record keepers and plan participants on best practices for maintaining cybersecurity to protect the retirement benefits of America’s workers.  This cybersecurity guidance emphasizes how critical it is for fiduciaries to focus on cybersecurity issues in selecting, contracting with and monitoring the performance of recordkeepers and other plan service providers to protect plan participants. Fiduciaries should focus on cybersecurity in performing service provider due diligence, in negotiating service provider contracts, and in ongoing monitoring of a service provider’s compliance with policies and procedures and ensure that any breaches are promptly reported, investigated and addressed.

This new cybersecurity guidance is intended to complement the existing DOL regulations on electronic records and disclosures to plan participants and beneficiaries.  This includes provisions on ensuring that electronic recordkeeping systems have reasonable controls and adequate recorded management practices in place and that electronic disclosure systems include measures calculated to protect the participants’ Personally Identifiable Information (PII).

Cybersecurity Considerations for Fiduciaries

The DOL’s cybersecurity guidance affirms the importance of taking cybersecurity into consideration when fiduciaries are selecting, contracting with and monitoring recordkeepers or other plan service providers. In particular, the “Tips for Hiring a Service Provider with Strong Cybersecurity Practices” encourages fiduciaries to address cybersecurity as follows:

• Due Diligence. In selecting a service provider, fiduciaries should review the service provider’s cybersecurity policies and procedures to assess how they compare to industry standards. This includes:
  • Confirming whether third party audits are performed and reviewing any audit reports;
  • Inquiring about any security incidents and what steps have been taken in response to them;
  • Reviewing public information, including litigation records, regarding any cybersecurity incidents involving a service provider; and
  • Assessing levels of cybersecurity or identity theft insurance policies and levels of coverage.
• Contract Provisions. Contracts with service providers should:
  • Require the service provider to obtain a third-party audit to assess compliance with policies and procedures;
  • Prohibit the use or sharing of participant information without consent and generally meet a strong standard of care for protecting the information;
  • Require prompt notification in the event of any cyber incident or data breach and cooperation to investigate and address the cause of the breach;
  • Require compliance with privacy laws and regulations regarding the privacy and security of participant information; and
  • Require appropriate levels of professional liability and errors and omissions insurance, cyber liability and privacy breach insurance and other fiduciary bond or blanket crime insurance.

The DOL’s “Cybersecurity Best Program Practices” describes what the DOL believes to be best practices and procedures for service providers. Plan fiduciaries can use this as a reference in evaluating the cybersecurity practices and procedures of potential service providers.

Fiduciaries may also want to ensure that the “Online Security Tips” are shared with individual participants or similar information is provided by the plan’s recordkeeper or other service providers.

The DOL News Release with guidance on “Tips for Hiring a Service Provider”,  “Cybersecurity Best Program Practices”, and “Online Security Tips”  can be accessed at (https://www.dol.gov/newsroom/releases/ebsa/ebsa20210414).

If you have any questions about the new DOL guidance on cybersecurity and retirement plans, please contact your MCM client service team or Becky Barnett at becky.barnett@mcmcpa.com or 502.882.4320.