On April 14, the Department of Labor (DOL) outlined a range of practices for combatting the growing threat of cybercrime to ERISA-covered retirement plans. This first-ever cybersecurity guidance issued by the DOL’s Employee Benefits Security Administration (EBSA) casts a wide net, addressing key issues affecting plan sponsors, fiduciaries, record keepers, as well as plan participants and beneficiaries.
The DOL estimates that defined contribution and defined benefit retirement plans hold a combined $9.3 trillion in assets. These plans also store vast amounts of vital personal information online—information that could put participants and their assets at risk if a plan’s online systems were breached. In issuing this guidance, the DOL acknowledges the imminent risk posed by acts of cybercrime as well as the obligation of responsible plan fiduciaries, as set forth by ERISA, to help mitigate these risks.
Three Types of Guidance Issued
The DOL’s guidance is presented in three separate documents, each targeting a different audience. These best practices and tips are offered as recommendations for safeguarding the assets and personal information of plan participants while helping to reduce the risk of fraud and loss.
Building on Past DOL Guidance
Although the DOL noted that this guidance was an important “first step” in safeguarding retirement benefits and personal information, it also builds on earlier EBSA guidance that addressed electronic recordkeeping systems and controls for protecting the personal information of plan participants. In this way, the current guidance may serve as a call to action to plan sponsors, fiduciaries, and participants to review and update any established cybersecurity practices and protocols or to create a cybersecurity program using these recommendations.
Insight: Keep Strengthening Your Controls
While there is no way to eliminate the risk of cybercrime entirely, plan sponsors who understand and take steps to incorporate the DOL’s guidance into their cybersecurity protocols will be on a more solid path to safeguarding their plan assets and participants’ vital information.
The DOL guidance should be viewed as guidance or recommendations rather than a set of minimum requirements or as regulations. These recommendations underscore the importance of constantly evaluating, testing, and improving your cybersecurity protocols amid a rapidly evolving threat landscape.