Cybersecurity is a big concern, and recent guidance from the Department of Labor (DOL) focuses on assisting those involved in retirement plans to properly maintain plan records and keep participant data confidential and plan accounts secure. The DOL issued three documents, referenced below, with guidance aimed at plan sponsors, plan fiduciaries, record keepers and plan participants, which includes employers in addition to plan beneficiaries.
- Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires. Among the six tips in this document, you can find:
- Asking about the service provider’s information security standards, practices and policies, and audit results.
- Suggestion to ask (or even checking to see) whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
- Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks. This document contains recommendations, such as:
- Making sure the org has a formal, well documented cybersecurity program.
- Assuring strong access control processes. Industry experts say multifactor identification provides extra protection that makes hacking difficult.
- Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss. This document reminds us of precautions we already know, but might be lax in following, such as:
- Being wary of free wifi. Surfing the net for general information is probably not problematic but accessing financial accounts from a local fast-food restaurant might compromise your security.
- A reminder to beware of phishing attempts. Those emails that look fishy usually are, and clicking a link without verifying the authenticity of the message is a big no-no.
- Using a strong password. I admit I groaned when I wrote this because I tend to use the same, easy-to-remember password for multiple accounts – probably not the safest way to go.
ERISA requires plan fiduciaries to take appropriate precautions to mitigate these risks. While employers may not actively manage retirement plans, they hire those who do and therefore, have a responsibility to assure they select competent and safe organizations”. As per the IRS, “Even if you hire a financial institution or retirement plan professional to manage your plan, you retain some fiduciary responsibility for the decision to select and keep the service provider.” The DOL’s guidance is certainly a word to the wise for today.