United States:

Cybersecurity guidelines for sponsors of retirement plans

June 10, 2021

Sheppard Mullin Richter & Hampton

To print this article, all you need to do is register or log in to Mondaq.com.

The Ministry of Labor recently problematic Cybersecurity Guide to Retirement Plans. The department’s Employee Benefits Security Administration (EBSA) has issued guidelines in three areas: (1) Hiring and working with providers and service providers; (2) Implement an internal cybersecurity program for the plan; and (3) Online security for plan participants and end users.

Recommendations to plan sponsors and administrators are:

  • Inquiries from vendors what security practices they use and how these measures are validated;
  • Determination of the type and scope of the providers’ cyber insurance;
  • Establish a formal cybersecurity program and conduct annual risk assessments;
  • Use of security measures such as encryption and implementation of regular training courses;
  • Providing information to users about common risks such as free WiFi or improper password hygiene.

These guidelines provide clarity on how the EBSA interprets Electronic Records Regulations, (which require plan administrators to put in place adequate controls and records management) and those relating to plans fiduciary responsibility. Although these cybersecurity recommendations were the first from EBSA, they will be familiar to those familiar with other frameworks such as the NIST cybersecurity framework and other government guidance on managing providers. This also includes the latest NYDFS Supply Chain Management Guidelines.

Putting it into practice: This first EBSA cybersecurity guideline signals their expectations for cybersecurity. The focus on vetting and onboarding service providers should be emphasized. These precautionary measures are particularly helpful when it comes to providers who have automated protection processes and / or precise knowledge of their customers’ IT systems (knowledge that could be exploited by a malicious actor). Plan sponsors and other trustees with existing cybersecurity programs will want to compare their control and vendor management programs with these three newly issued guidelines.

The content of this article is intended to provide general guidance on the subject. You should seek expert advice regarding your specific circumstances.

POPULAR ARTICLES ON: Technology Made in the United States