Cybersecurity should be top of mind for retirement plan fiduciaries, not only because the risks of a data breach or fraud are on the rise but also because the Department of Labor (DOL) has begun auditing retirement plans with a focus on cybersecurity.
What’s the best way for plan fiduciaries to mitigate risks while also demonstrating compliance with recent DOL guidance? Conduct a cybersecurity compliance review.
In his article, “Conducting a Cybersecurity Compliance Review: A How-To Guide” in the July/August issue of Benefits Magazine, attorney Justin P. Musil outlines best practices for conducting such a review. Musil is a shareholder in the employee benefits practice at Reinhart Boerner Van Deuren s.c. in Milwaukee, Wisconsin.
A cybersecurity compliance review should include the following components.
1. Vendor Questionnaire and Evaluation
Most breaches and security incidents affecting benefit plans and their participants occur with third-party service providers (vendors), Musil writes.
By having current and prospective vendors complete a questionnaire, plan fiduciaries can document and evaluate the steps these vendors are taking to secure plan data, information systems and assets. This questionnaire should be sent to any vendor that creates or maintains confidential information for the plan, handles or transfers plan assets, or hosts or maintains critical information systems, Musil explains.
If a vendor’s program checks all the boxes, a fiduciary may not need to take any additional action. But if the vendor has deficiencies, such as a history of security incidents, a fiduciary may need to follow up and ask for evidence to confirm that remedial measures were implemented. Extreme cases might require terminating and replacing the vendor.
2. Service Contract Review
Plan fiduciaries should coordinate with legal counsel to review existing service agreements to determine whether they sufficiently address data privacy and cybersecurity. This contract review is particularly important for key vendors that have been identified to receive the cybersecurity questionnaire, Musil notes.
Next, plan fiduciaries should consider whether to request revisions to the service agreement, either as an amendment or as part of an upcoming contract renewal, whereby the vendor agrees to comply with all DOL requirements, applicable data privacy and security laws, and other industry best practices.
3. Cybersecurity Policies and Procedures
Self-administered plans, third-party administrators and employer plan sponsors need to have on hand formal, well-documented cybersecurity policies and procedures relating to the plan in order to respond to DOL requests for detailed documentation in a timely manner. “While the DOL is reviewing all areas of cybersecurity compliance, some key areas of focus have been risk assessments, third-party audits and penetration testing, management of cloud service providers, cybersecurity awareness training, access controls and identity management (especially password management and multifactor authentication), encryption, incident response and business continuity,” Musil explains.
4. Participant Communication
Plan fiduciaries and sponsors have a duty to provide plan participants with information about keeping their personal information and retirement savings secure. The DOL guidance includes security tips to be shared with participants who have online access to their retirement accounts. Though not mentioned in the DOL guidance, Musil suggests a plan’s summary plan description (SPD) is an appropriate vehicle to communicate a plan’s cybersecurity procedures and participants’ responsibilities within those procedures.
5. Security Risk Assessment
The DOL suggests that plans periodically conduct a security risk assessment, which helps identify and assess internal and external risks and threats to information systems and sensitive data. This can be conducted internally or by a third-party auditor and will help organizations understand what measures they can take to eliminate or reduce those risks or threats.
After the Review . . . Document
“All cybersecurity decision-making and compliance measures should be documented in trustee and benefit committee meeting minutes to help demonstrate procedural prudence in this newer, yet increasingly important area of compliance for plans,” Musil writes.
Kathy Bergstrom, CEBS
Senior Editor, Publications at the International Foundation of Employee Benefit Plans
The Latest From Word on Benefits:
- The State of Multiemployer Health Plans: Ten Takeaways
- Where We Are Now: Special Financial Assistance Under the American Rescue Plan Act
- Education Benefits for Recruiting and Building Talent
- It’s Coming—The End of the COVID-19 Emergencies
- Legal & Legislative Reporter: Third Party Administrator Liable for Violation of ACA Antidiscrimination Provision