While the advancement of technology creates convenience, with that comes risks that we must consider. The alarming spike in cybersecurity threats across the globe in recent years has triggered many businesses and organizations to reevaluate cybersecurity measures, especially those that handle personally identifiable information. Service providers for retirement plans, including Third Party Administrators (TPAs) are at a higher risk for cyberattacks because many rely on cloud-based technology solutions to help streamline the services they provide.
While this use of technology can provide benefits like increased engagement in your company’s retirement plan, it also puts participant information, like social security numbers, addresses, and legal names, at risk of being compromised. Furthermore, this puts the funds held in these retirement accounts at risk, which may be the only funds that a participant has saved for retirement. Now with guidance from the Department of Labor (DOL) available, it’s time to approach your service providers and inquire about what procedures they have in place to keep you, and your entire organization, safe from an attack.
Department of Labor Sheds Light on Cybersecurity Best Practices
In order to protect TPAs, service providers, their sponsors, and their assets, the DOL’s Employee Benefits Security Administration, has created a “12 Best Practices” list for adapting effective cybersecurity programs and procedures.
- Have a formal, well-documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
As a plan sponsor you should be aware of how efficiently your service provider utilizes the best practices list as a part of their own cybersecurity program. Additionally, we advise that if you are searching for a new plan provider you should utilize this list to inquire how your prospective candidates adhere to this guidance.
We believe this guidance is most likely just a preview of what is to come from the DOL regarding cybersecurity plans and procedures for retirement plans. You can read more in depth about each best practice on the DOL’s Cyber Security Program Best Practices document.
Putting the Best Practices to Good Use
Now that you’re aware of the “12 Cybersecurity Best Practices” how do you talk to your service provider about their procedures and attain the necessary documentation for your own records?
At this time you should submit a written request to those who have access to plan assets, such as the record keeper or custodian, to supply you with an evaluation that details their cybersecurity plan’s alignment with the DOL’s guidance. We also advise you do the same with those who have access to your plan and plan participants’ personally identifiable information, such as your TPA and payroll provider.
However, your service provider isn’t the only one who should be actively examining the strength of their cybersecurity procedures. We also highly recommend assessing your own business against the “12 Cybersecurity Best Practices.” As a plan sponsor you should be taking ownership and prioritizing your own cybersecurity plan in tandem with your service provider.
By communicating with your service provider and thoroughly reviewing both their and your cybersecurity policies and procedures on a regular basis, you can take pride in knowing that you are being proactive in keeping your organization, your people, and their respective sensitive data safe from cyberattacks.
We expect additional guidance to come from the DOL regarding this topic and will keep you updated. Cyberattacks are the fastest growing crime in the United States and every proper precaution must be taken to protect your business and employees’ sensitive information. If you have any questions or concerns, please reach out to one of our team members. We are always here to help.