Posts

Print Friendly Version Print Friendly Version

Cybersecurity and DOL Document Requests

An advisor asked: “I understand the Department of Labor (DOL) is already checking the cybersecurity procedures of plans that are currently under audit. Do you have any insight into what the DOL’s auditors are requesting from plan sponsors with respect to cybersecurity policies?”

Highlights of the Discussion

Yes, we have a little insight. The DOL’s “Cybersecurity Document Requests” that we have seen, which have been given to at least some plans under audit, reveal the DOL has been asking for quite an extensive list of documentation, as represented below. Moreover, the DOL has noted that plan administrators should be aware that they may need to consult not only with the sponsor of the plan, but with the service providers of the plan to obtain all the documents requested, and if they are unable to produce the requested documents the plan administrator must specify the reasons why the documents are unavailable.

1. All policies, procedures, or guidelines relating to

• Data governance, classification and disposal.
• The implementation of access controls and identity management, including any use of multi-factor authentication.
• The processes for business continuity, disaster recovery, and incident response.
• The assessment of security risks.
• Data privacy.
• Management of vendors and third-party service providers, including notification protocols for cybersecurity events and the use of data for any purpose other than the direct performance of their duties.
• Cybersecurity awareness training.
• Encryption to protect all sensitive information transmitted, stored, or in transit.

2. All documents and communications relating to any past cybersecurity incidents.
3. All security risk assessment reports.
4. All security control audit reports, audit files, penetration test reports and supporting documents, and any other third-party cybersecurity analyses.
5. All documents and communications describing security reviews and independent security assessments of the assets or data of the plan stored in a cloud or managed by service providers.
6. All documents describing any secure system development life cycle (SDLC) program, including penetration testing, code review, and architecture analysis.
7. All documents describing security technical controls, including firewalls, antivirus software, and data backup.
8. All documents and communications from service providers relating to their cybersecurity capabilities and procedures.
9. All documents and communications from service providers regarding policies and procedures for collecting, storing, archiving, deleting, anonymizing, warehousing, and sharing data.
10. All documents and communications describing the permitted uses of data by the sponsor of the Plan or by any service providers of the Plan, including, but not limited to, all uses of data for the direct or indirect purpose of cross-selling or marketing products and services.

Most recently, the DOL on April 14, 2021, issued three cybersecurity directives nationwide for retirement plans:

Tips for Hiring a Service Provider: This piece helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
Cybersecurity Program Best Practices: This piece assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks by following these 12 steps.
Online Security Tips: This piece offers plan participants and beneficiaries who check their accounts online basic rules to reduce the risk of fraud or loss.

For more details, please see RLC’s previous Case of the Week: Cybersecurity and Retirement Plans-What’s the Latest?

Conclusion
The industry is still waiting for definitive cybersecurity rules for retirement plan administration. In the meantime, the best that concerned parties can do is make a good faith effort to adopt cybersecurity policies, following the series of guidelines, suggestions and best practices issued by the DOL, and document, document, document.

 

© Copyright 2021 Retirement Learning Center, all rights reserved
Print Friendly Version Print Friendly Version

Cybersecurity and Retirement Plans—What’s the Latest?

Can you bring me up to speed on what cybersecurity standards apply to qualified retirement plans?”

ERISA consultants at the Retirement Learning Center (RLC) Resource Desk regularly receive calls from financial advisors on a broad array of technical topics related to IRAs, qualified retirement plans and other types of retirement savings and income plans, including nonqualified plans, stock options, and Social Security and Medicare.  We bring Case of the Week to you to highlight the most relevant topics affecting your business.

A recent call with an advisor in Massachusetts is representative of a common question on what the Department of Labor (DOL) has to say about cybersecurity and retirement plans.

Highlights of the Discussion

Cybersecurity has been a growing topic of importance in the retirement services industry for years. The Bartnett v Abbott Labs et al  court case in 2020 (although later dismissed), along with other cases, have heightened the concern for fiduciary liability related to such breeches. From a historical perspective, there is an understanding under DOL    Regulation Section 2520.104b-1(c)(i)(B)   and other pronouncements related to the electronic delivery of plan information that a plan sponsor must ensure the electronic system it uses keeps participants’ personal information relating to their accounts and benefits confidential.

Most recently, the DOL on April 14, 2021, issued three cybersecurity directives for retirement plans: one for plan sponsors, one for plan recordkeepers and one for plan participants:

  • Tips for Hiring a Service Provider: This piece helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as required by ERISA
  • Cybersecurity Program Best Practices: This piece assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks by following these steps.
  1. Have a formal, well documented cybersecurity program.
  2. Conduct prudent annual risk assessments.
  3. Have a reliable annual third-party audit of security controls.
  4. Clearly define and assign information security roles and responsibilities.
  5. Have strong access control procedures.
  6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
  7. Conduct periodic cybersecurity awareness training.
  8. Implement and manage a secure system development life cycle (SDLC) program.
  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  10. Encrypt sensitive data, stored and in transit.
  11. Implement strong technical controls in accordance with best security practices.
  12. Appropriately respond to any past cybersecurity incidents.
  • Online Security Tips: This piece offers plan participants and beneficiaries who check their accounts online basic rules to reduce the risk of fraud or loss.

This trifecta of DOL guidance comes on the heels of two recommendations to the DOL from a February 2021 Government Accountability Office (GAO) report to: 1) formally state whether it is a fiduciary’s responsibility to mitigate cybersecurity risks in defined contribution plans and to 2) establish minimum expectations for addressing cybersecurity risks in defined contribution plans. But despite the release of these three directives, presently, there is no comprehensive federal regulatory regime covering cybersecurity for retirement plans.

Other Sources of Guidance to Consider

The American Institute of CPAs (AICIPA) has developed and maintains a cybersecurity risk management program for use by plan auditors, which includes a Systems and Organizations Controls (SOC) protocol intended to help plan sponsors in creating a strong cybersecurity framework .  This Q&A, “Cybersecurity and employee benefit plans: Questions and answers,” provides an overview of the resources.

The ERISA Advisory Council issued a report in 2016 entitled, “Cybersecurity Considerations for Benefit Plans.” The ERISA Advisory Council suggested the DOL raise awareness about cybersecurity risks and provide information for developing a cybersecurity strategy specifically focused on benefit plans. “The Report” put forth considerations for the industry for navigating cybersecurity risks. The considerations relate to the following three key areas. Please refer to the report for more details.

  1. Establish a strategy
  • Identify the data (e.g., how it is accessed, shared, stored, controlled, transmitted, secured and maintained).
  • Consider following existing security frameworks available through organizations such as the Nation Institute of Standards and Technology (NIST), Health Information Trust Alliance (HITRUST), the SAFETY Act, and industry-based initiatives.
  • Establish process considerations (e.g., protocols and policies covering testing, updating, reporting, training, data retention, third party risks, etc.).
  • Customize a strategy taking into account resources, integration, cost, cyber insurance, etc.
  • Strike the right balance based on size, complexity and overall risk exposure.
  • Consider applicable state and federal laws.
  1. Contracts with service providers
  • Define security obligations.
  • Identify reporting and monitoring responsibilities.
  • Conduct periodic risk assessments.
  • Establish due diligence standards for vetting and tiering providers based on the sensitivity of data being shared.
  • Consider whether the service provider has a cyber security program, how data is encrypted, liability for breaches, etc.
  1. Insurance
  • Understand overall insurance programs covering plans and service providers.
  • Evaluate whether cyber insurance has a role in a cyber risk management strategy.
  • Consider the need for first party coverage.

The Report concludes with an appendix entitled, Employee Benefit Plans:  Considerations for Managing Cybersecurity Risks (A Resource for Plan Sponsors and Service Providers).

State laws are another consideration. Each state has different laws governing cybersecurity concerns that may come into play. Unfortunately, many retirement plans cover multiple states or retirees who have moved out of state.

Conclusion

As fiduciaries of their retirement plans, the DOL requires plan sponsors to ensure the electronic systems they authorize for use in the administration of their plans keeps participants’ personal information relating to their accounts and benefits confidential. While currently no comprehensive cybersecurity protocol for retirement plan administration exists at the federal level—we do have a series of guidelines, suggestions and best practices.

 

© Copyright 2021 Retirement Learning Center, all rights reserved
Compliance Rules Guidelines Regulations Laws
Print Friendly Version Print Friendly Version

Cyber Security and Retirement Plans

“With so many examples of data hacking in the news, I’m curious about what cybersecurity standards apply for qualified retirement plans?”

ERISA consultants at the Retirement Learning Center Resource Desk regularly receive calls from financial advisors on a broad array of technical topics related to IRAs and qualified retirement plans. We bring Case of the Week to you to highlight the most relevant topics affecting your business.

Highlights of Discussion

  • Great question! There is an understanding under Department of Labor (DOL) Regulation Section 2520.104b-1(c) and other pronouncements related to the electronic delivery of plan information that a plan sponsor must ensure the electronic system it uses keeps participants’ personal information relating to their accounts and benefits confidential. However, presently, there is no comprehensive federal regulatory regime covering cybersecurity for retirement plans.
  • Each state has different laws governing cybersecurity concerns that may come into play. Unfortunately, many retirement plans cover multiple states or retirees who have moved out of state.
  • At the end of 2016, the ERISA Advisory Council issued a report entitled, Cybersecurity Considerations for Benefit Plans. “The Report” puts forth considerations for the industry for navigating cybersecurity risks. The considerations relate to the following three key areas. Please refer to the report for more details.

1. Establish a strategy

  • Identify the data (e.g., how it is accessed, shared, stored, controlled, transmitted, secured and maintained).
  • Consider following existing security frameworks available through organizations such as the Nation Institute of Standards and Technology (NIST), Health Information Trust Alliance (HITRUST), the SAFETY Act, and industry-based initiatives.
  • Establish process considerations (e.g., protocols and policies covering testing, updating, reporting, training, data retention, third party risks, etc.).
  • Customize a strategy taking into account resources, integration, cost, cyber insurance, etc.
  • Strike the right balance based on size, complexity and overall risk exposure.
  • Consider applicable state and federal laws.

2. Contracts with service providers

  • Define security obligations.
  • Identify reporting and monitoring responsibilities.
  • Conduct periodic risk assessments.
  • Establish due diligence standards for vetting and tiering providers based on the sensitivity of data being shared.
  • Consider whether the service provider has a cyber security program, how data is encrypted, liability for breaches, etc.

3. Insurance

  • Understand overall insurance programs covering plans and service providers.
  • Evaluate whether cyber insurance has a role in a cyber risk management strategy.
  • Consider the need for first party coverage.
  • The ERISA Advisory Council has suggested that the DOL raise awareness about cybersecurity risks and provide information for developing a cybersecurity strategy specifically focused on benefit plans.
  • The Report concludes with an appendix entitled, Employee Benefit Plans: Considerations for Managing Cybersecurity Risks (A Resource for Plan Sponsors and Service Providers).  At this time, no comprehensive cybersecurity protocol for retirement plan administration exists at the federal level. The ERISA Advisory Council has provided suggested materials for plan sponsors, fiduciaries and service providers to utilize when developing a cybersecurity strategy and program.

Conclusion 

At this time, no comprehensive cybersecurity protocol for retirement plan administration exists at the federal level. The ERISA Advisory Council has provided suggested materials for plan sponsors, fiduciaries and service providers to utilize when developing a cybersecurity strategy and program.

 

 

 

 

 

 

 

© Copyright 2021 Retirement Learning Center, all rights reserved