By Kelsey Mayo, Partner, Poyner Spruill
Plan theft is a perennial hot-button issue in the benefit plan arena. Recent estimates show that defined contribution plans alone guard benefits for over 106 million participants and over $6.3 trillion in assets. Plan sponsors, administrators, and fiduciaries should ensure that they are implementing reasonable processes to routinely evaluate areas of risk and methods of risk mitigation.
In response to a Government Accountability Office study affirming the vulnerability of retirement plan data, the Department of Labor (DOL) released a three-piece cybersecurity guidance package for plan sponsors, service providers, and participants. The package contains: (1) a 12-prong cybersecurity best practices summary, (2) tips for hiring service providers, and (3) online security tips for participants and beneficiaries. Importantly for plan sponsors, the DOL characterizes the mitigation of cybersecurity risk as a fiduciary duty. The package reflects what the DOL likely believes are cybersecurity standards fiduciaries should evaluate and pursue. As a plan sponsor, you should carefully evaluate the guidance to ensure you are meeting your fiduciary duties.
There are several actions that plan sponsors should take in response to the guidance package:
- Consider posting and/or distributing the online security tips for participants. This is not a required disclosure; however, it is an easy action to take as part of a participant education program and may be viewed favorably in the unfortunate event there is theft from the plan.
- Evaluate current vendor selection procedures to incorporate the DOL’s suggestions in the tips for hiring service providers. Notably, the DOL recommends specific inquiries of potential plan vendors and contractual provisions a fiduciary should request. As part of the prudent monitoring of vendors, sponsors may want to ask these questions and update contracts, to the extent possible.
- Review the 12-prong cybersecurity best practices summary and update procedures. Perhaps the most substantive piece of the package, this summary is framed as best practice recommendations for plan service providers, such as third-party administrators and recordkeepers. Conceptually, however, these standards also apply to plan-related information maintained by the plan fiduciary—and enforcement actions already implemented confirm this suspicion. Therefore, plan sponsors should evaluate their own internal cybersecurity policies against the 12-prongs, in addition to evaluating the cybersecurity policies of their plan service providers.
We strongly recommend reviewing the twelve prongs, in-depth. However, a few key takeaways are that fiduciaries should look for the following in evaluating cybersecurity practices:
- A well-documented, comprehensive cybersecurity program, led by senior personnel;
- Annual reviews, updates, and assessments of the program and the company’s compliance;
- Annual training of personnel, emphasizing identity theft (in our experience, off-the-shelf cybersecurity training programs may need to be supplemented to address how identity theft occurs in the plan context);
- Strong access and security procedures to protect plan data—both when stored on the system and when being shared;
- A process to maintain current participant data, specifically including a procedure to ensure the plan sponsor’s data matches the plan vendor’s data; and
- Comprehensive resiliency plan addressing business continuity, disaster recovery, and incident response.
The items above are broad categories—the DOL guidance provides specific items on each of these points. Reach out to your TPA and plan advisor today for more detail on implementing these best practices (and in evaluating how they, too, are responding to the guidance).