DOL Cybersecurity Guidance for Plan Sponsors

When it comes to providing a retirement plan for your employees, staying compliant with Department of Labor (DOL) guidance is one of the most important responsibilities you take on.

In fact, in a recent survey, Morgan Stanley at Work discovered that 93% of plan sponsors choose to work with a financial advisor specifically for assistance with plan compliance and regulatory oversight.1

The DOL recently publicized guidance around qualified retirement plan cybersecurity practices. The DOL notes that qualified retirement plans are prime targets for cyber attackers: It’s estimated that there are approximately 140 million participants in ERISA-governed retirement plans, holding assets of about $9.3 trillion. Additionally, retirement plans maintain significant amounts of highly sensitive personal and financial data. (Think: Social security numbers, employment information, and home addresses.)

As a result, without sufficient protections and protocols in place, participants and assets may be at risk from cybersecurity threats. The DOL’s guidance provides plan sponsors, plan fiduciaries, service providers, and plan participants with best practices for maintaining a prudent cybersecurity program within the retirement plan framework. In particular, the DOL stresses that plan fiduciaries should review the guidance and strongly consider implementing it to assess and enhance their current cybersecurity infrastructure.

When it comes to cybersecurity, if you haven’t already, now is the time to start implementing information security protection, protocols, and prepare for potential DOL enforcement.

In this article, we decode the guidance and help plan sponsors understand what’s most important to implement to keep your company and employees safe from cyber criminals.

The DOL’s cybersecurity guidance is divided into three parts:

  1. Tips for plan sponsors to consider for hiring a service provider with strong cybersecurity policies and procedures
  2. Cybersecurity best practices for service providers
  3. Steps plan participants can take to reduce the risk of fraud and loss to their retirement accounts.

Plan Sponsors (i.e., plan fiduciaries)

Under ERISA, plan sponsors have a fiduciary duty to prudently select and monitor a plan’s service providers. The first part of the DOL’s cybersecurity guidance addresses how to evaluate a service provider’s cybersecurity practices to effectively satisfy this fiduciary obligation. The guidance recommends that plan fiduciaries carefully review and compare the service providers’ security standards to recognized industry standards and frameworks. It encourages plan sponsors to engage in conversations with a current or prospective service provider about their security policies and procedures, any audit results, past security breaches, and whether the service provider has cybersecurity or identify theft insurance.

Additionally, the DOL strongly advises that a plan fiduciary incorporate various cybersecurity related provisions in its agreement with a service provider. A contract should include terms that require ongoing compliance with applicable cybersecurity and information security standards and should not include provisions that limit a service provider’s responsibility for security breaches. A fiduciary should also attempt to include terms that require:

  • An annual, third-party audit to determine compliance with policies and procedures, with the plan fiduciary reserving the right to review the audit results
  • Confidentiality and clear provisions on the use and sharing of information, including clear limitations on the use of such information
  • Notification of data breaches and, in the event of a breach, the service provider’s cooperation to investigate and reasonably address the cause of the breach
  • Compliance with records retention and destruction, privacy, and information security laws
  • Insurance coverage such as professional liability and errors and omissions liability insurance, cyber liability and privacy breach insurance, and fidelity bond/blanket crime coverage

Plan sponsors should discuss these issues with their legal advisors. 

Service Providers

The second part of the DOL guidance provides best practices for service providers to ensure they have a strong cybersecurity infrastructure. Service providers should have a formal, well documented cybersecurity program that protects their IT infrastructure and retirement data from both internal and external threats.  A service provider should institute formal and effective policy and procedures requiring annual risk assessments and review by a third-party auditor. As the DOL notes, risk assessments for assets or data stored in a cloud environment or managed by a third-party service provider are crucial.

According to the DOL, for a cybersecurity program to be effective and for accountability, it must be managed at the senior executive level, such as by a chief information security officer (CISO). Additionally, service provider users/employees should be subject to strong access control procedures to make sure that only the appropriate individuals have the authorization to access sensitive retirement plan information. This would allow a service provider to confirm that its activity is consistent with its cybersecurity program and that any unauthorized use or access of confidential data is detected. The DOL stresses how employees are often an organization’s weakest link for cybersecurity. To minimize the impact of the human element in potential security breaches, a service provider’s cybersecurity program should include annual cyber awareness training for employees. The guidance also includes various recommendations for a secure system development lifecycle program, a business resilience program, encryption of sensitive data while stored and in transit, technical controls (i.e., security solutions through mechanisms in the hardware, software, or firmware of a system) in accordance with best security practices, and appropriate responses to any past cybersecurity breaches.

Tips for Plan Participants

The final part of the DOL’s April 2021 guidance offers plan participants and beneficiaries tips to reduce the risk of fraud and loss when managing their retirement accounts online. These online security tips include:

  • Register, set up, and routinely monitor online accounts
  • Use strong and unique passwords
  • Use multi-factor authorization
  • Keep personal contact information current
  • Close or delete unused accounts
  • Be wary of free Wi-Fi
  • Beware of phishing attacks
  • Use antivirus software and keep applications and software current
  • Know how to report identity theft and cybersecurity incidents

Plan sponsors and fiduciaries should share these tips with plan participants and emphasize a participant’s role in safeguarding their retirement benefits and personal information.

Conclusion

Over the past year, the DOL has commenced an audit initiative focusing on retirement plan cybersecurity practices, asking plan sponsors and plan fiduciaries to produce all cybersecurity program policies, procedures, and guidelines that relate to the plan, whether applied by the plan sponsor or by a service provider. The DOL has also requested detailed documentation of actions taken by the plan’s fiduciaries and service providers regarding their cybersecurity practices. As cybercrime continues to evolve and increase, with an estimated cost of $10.5 trillion globally by 2025, or 15% growth year over year, the DOL will likely continue its effort to oversee these practices and offer further guidance and regulations.2

Morgan Stanley at Work empowers companies and employees wherever they are on their unique financial journey, and we’re here to help companies navigate today’s financial services landscape and latest legislative changes with confidence. Contact your Financial Advisor today to learn more about Morgan Stanley’s cybersecurity infrastructure to keep your sensitive data safe.