DOL Cybersecurity Guidance for 401(k) and Employee Benefit Plans
The U.S. Department of Labor recently announced new guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants on best practices for maintaining cybersecurity for 401(k) and employee benefit plans. The guidance is directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act (ERISA). Without sufficient cybersecurity protections, 401(k) and employee benefit plan participants and their assets may be at risk from both internal and external cybersecurity threats. The DOL guidance is not a requirement yet, but there are several steps 401(k) and employee benefit plans should take now.
What Steps Can You Take to Secure Your 401(k) or Employee Benefit Plan?
Responsible plan fiduciaries and plan sponsors have an obligation to ensure proper mitigation of cybersecurity risks for 401(k) and employee benefit plans. To ensure a 401(k) or employee benefit plan is protected the DOL recommends taking the following measures.
1. Develop a formal, well-documented cybersecurity program.
A well-designed program will include plans to protect infrastructure, information systems, and the information in the systems from unauthorized access, use, or other malicious acts by enabling 401(k) and employee benefit plans to:
- Identify the risks to assets, information and systems.
- Protect each of the necessary assets, data and systems.
- Detect and respond to cybersecurity events.
- Recover from such events.
- Disclose the events as appropriate.
- Restore normal operations and services.
In addition, 401(k) and employee benefit plans need to establish strong security policies, procedures, guidelines, and standards that have been approved by senior leadership, reviewed annually, effectively communicated to participants of 401(k) and employee benefit plans, are well documented, and reviewed by the 401(k) or employee benefit plan’s independent auditor.
2. Perform an annual risk assessment for your 401(k) or employee benefit plan.
The risk assessment is used to identify, estimate, and prioritize information system risks. The risk assessment should include the following:
- Identify, assess, and document how identified cybersecurity risks or threats are evaluated and categorized.
- Establish criteria to evaluate the confidentiality, integrity, and availability of the information systems.
- Describe how the cybersecurity program will mitigate or accept the risks identified.
- Facilitate the revision of controls resulting from changes in technology and emerging threats.
- Be kept current to account for changes in information systems, nonpublic information, or business operations.
3. Having an independent auditor assess an organization’s security controls and provide a clear, unbiased report of the existing risks, vulnerabilities, and weaknesses.
Key risks or areas for assessment include the following:
- Secure system development life cycle program that ensures security assurance activities such as penetration testing, code review, and architecture analysis.
- Business continuity and disaster recovery program that allows a 401(k) or employee benefit plan to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets, and data.
- Encryption of data stored and in transit. A 401(k) or employee benefit plan system should implement current, prudent standards for encryption keys, message authentication and hashing to protect the confidentiality and integrity of the data at rest or in transit.
- Strong technical controls implementing best security practices. Technical security solutions are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.
- Responsiveness to cybersecurity incidents or breaches. When a cybersecurity breach or incident occurs, appropriate action should be taken to protect the 401(k) or employee benefit plan and its participants.
A majority of 401(k) and employee benefit plans use a third-party administrator (TPA) to serve as the 401(k) or employee benefit plan’s record keeper or trustee. It is recommended that the plan sponsor and plan fiduciary ensure their TPA is having an independent auditor assess the security controls in place at the TPA. Often times this comes in the form of a System and Organization Controls (SOC 2) Type 2 report. A SOC 2 Type 2 report should address the key risks and areas described above.
4. Clearly define and assign information security roles and responsibilities.
For a 401(k) or employee benefit plan’s cybersecurity program to be effective, it must be managed at the senior executive level and carried out by qualified personnel.
5. Establish strong access control procedures.
Access control is a method of guaranteeing that users are who they say they are and that they have the appropriate access to IT systems and data. It mainly consists of two components: authentication and authorization. Most 401(k) or employee benefit plans use an online portal for participants to access their benefits. Without strong access control procedures 401(k) and employee benefit plan participants’ retirement accounts could be misappropriated due to unauthorized access.
6. Conduct cybersecurity awareness training annually for all personnel involved with your 401(k) or employee benefit plan.
The human factor is often the weakest link in a cybersecurity program. Since identity theft is a leading cause of fraudulent distributions for 401(k) and employee benefit plans, it should be considered a key topic of training, which should focus on current trends to exploit unauthorized access to systems. Be on the lookout for individuals falsely posing as authorized plan officials, fiduciaries, participants or beneficiaries.
In summary, ERISA-covered 401(k) and employee benefit plans often hold millions of dollars or more in assets and maintain personal data on participants, which can make them tempting targets for cyber-criminals. Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks and taking the steps described above can help mitigate some of the risk.