Retirement plans often have millions of dollars in assets and the plan’s platform maintains sensitive data on participants. All this money and data can make retirement plans a target for cybercriminals. As plan sponsors, you have a fiduciary obligation to ensure that the plan has proper mitigation of cybersecurity risks and that the participants retirement money and data are secure.
To assist plan sponsors with cybersecurity risk, the U.S. Department of Labor (DOL) has recently announced new guidance on best practices for maintaining cybersecurity, including tips on how to protect the retirement benefits of America’s workers. The guidance is not only directed at plan sponsors but also plan fiduciaries, plan participants, and beneficiaries.
The DOL’s guidance comes in three forms:
- Tips on Hiring a Service Provider and monitoring their cybersecurity practices and activities.
- Cybersecurity Program Best Practices for plan sponsors and recordkeepers
- Online Security Tips for plan participants and beneficiaries
See here for more information: https://www.dol.gov/newsroom/r...
This notice from the DOL is currently only guidance. The DOL is currently not taking any enforcement action, but they are starting to make inquires with plan sponsors and asking for documents relating to cybersecurity policies and procedures. Even though these inquires seem to be limited to ongoing audits, all plan sponsors should be reviewing their guidance to see where their cybersecurity practices currently stand and to determine if they need improvement.
What should plan sponsors be doing now
- Read the notice and guidance provided by the DOL
- Determine what you, as the plan sponsor, already have in place
- Determine what needs to be addressed within your organization and make a plan to address
- Inquire and review the processes in place for your current service providers
- Gather and maintain all related documents
Lastly, take this seriously. The DOL has determined this to be a very hot topic and will likely be rolling out more formal audits. Not only should you be prepared for these DOL audits, but as plan sponsors, you should always be acting as prudent fiduciaries of your participants retirement assets and personal data
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.