On April 14, 2021, the U.S. Department of Labor (the DOL) released guidance on cybersecurity that is applicable to plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act of 1974, as well as plan participants and beneficiaries. The DOL recognizes that plans are just as susceptible to cyber frauds and put this guidance in place to protect the 87,028 plans with $9.9 trillion in assets.
The guidance can be broken into 3 steps:
- Obtain from all of your service providers their information security standards AND obtain an assessment of their standards by an IT professional.
- Obtain annual risk assessments of your system by a third-party expert.
- Have a cybersecurity insurance policy in place.
All service providers to a Plan are required to provide the Plan with their information security standards. Their validation (testing) of their cybersecurity practices, as well as their track record, past security breaches, and their cybersecurity insurance must be disclosed. The DOL has provided a template of prudent questions to be asked of each service provider for a Plans use. This data must then be evaluated by a competent IT professional.
The guidance requires an annual risk assessment of your systems. The Plan is required to also follow up on any findings identified. The DOL has advised publicly that there is a grace period until the end of the year due to the timing of the guidance, however, you can expect the assessment and any follow up will be requested during any DOL audit from this point forward. This annual assessment may be performed by your internal service provider, i.e., software provider or network manager. However, the Plan must assess if it is prudent to have the company/person who designed or operates your system opine on their own work.
Plans must ensure they have cybersecurity policies in place now. This policy must cover all technology AND all of your sites. Every employee associated with the Plan must also be named in the policy. The Plan can expect that the premiums on these policies will only continue to rise.
Finally, Plans should ensure that their service providers name the Plan as covered in the service providers insurance policy. The Plan can request copies of this for their files.
Why has the DOL done this? Quite simply, we are not prepared. Cybersecurity attacks continue on a daily basis and are so numerous that they no longer make the news. The DOL wants Plan’s prepared to protect the $9.9 trillion Plan participants are counting on.
If you need further guidance on this topic, we’re here to help. Please do not hesitate to reach out to our trusted experts to discuss your specific situation.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.