Cybersecurity Best Practices for Retirement Plans: How to Prepare for the Coming Department of Labor Cybersecurity Audits

Ellie Kang
Foley Hoag LLP - Security, Privacy and the Law
Contact
LinkedIn
Facebook
X
Send
Embed

Foley Hoag LLP - Security, Privacy and the Law

Are your employer-sponsored retirement accounts exposed to cybersecurity threats?  How should you and those who are entrusted with your retirement assets mitigate cybersecurity risks?  The official who leads the Employee Benefit Security Administration of the U.S. Department of Labor (EBSA) addressed these questions at a recent conference, following EBSA’s April 14, 2021 release of cybersecurity guidance for retirement plans.  The guidance outlines what actions plan sponsors, fiduciaries, service providers and participants should take to safeguard retirement assets and personal information against cybersecurity threats.

The guidance impacts more than employers and other plan fiduciaries.  If you provide any services to a retirement plan and have access to plan-related data (such as in your capacity as the plan’s record keeper, custodian, actuary or auditor), you need to evaluate whether your cybersecurity programs are adequate in light of the 12 cybersecurity best practices outlined by EBSA.  These best practices range from encrypting sensitive data and documenting cybersecurity policies and procedures, to conducting annual risk assessments and training.  These EBSA best practices are generally consistent with cybersecurity guidelines issued by other regulators.  At a minimum, you should try to implement the best practices recommended by EBSA as part of your organization-wide cybersecurity program.

If you are an employer sponsoring a retirement plan for your employees, you have an obligation under law to prudently select and monitor service providers to the plan.  The EBSA guidance provides a list of “tips” for evaluating whether a service provider has robust cybersecurity policies and practices.  These tips encourage plan sponsors to conduct due diligence on the service provider’s cybersecurity programs, third-party audit reports and past security breaches, and to negotiate contractual terms (such as insurance coverage and notice of breach provisions) that will enhance cybersecurity protections for the plan and its participants.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP - Security, Privacy and the Law | Attorney Advertising

Written by:

Foley Hoag LLP - Security, Privacy and the Law
Foley Hoag LLP - Security, Privacy and the Law
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Foley Hoag LLP - Security, Privacy and the Law on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide