Guidance on Benefit Plan Cybersecurity Best Practices

Plan participants now enroll, change elections, review benefits, apply for plan loans and hardship distributions, and access account information through websites and cellphone apps. As electronic access to plan information has increased, so has the interest of hackers in obtaining the wealth of information stored electronically. Recently, the DOL's Employee Benefits Security Administration (the EBSA) issued the following cybersecurity guidance documents to help plan sponsors comply with their duties to protect plan information:

• Tips for Hiring a Service Provider with Strong Cybersecurity Practices: These tips are intended to help plan sponsors and plan fiduciaries meet their duties under ERISA to prudently select and monitor service providers. They include a list of questions to ask and considerations to make when evaluating potential service providers.
• Cybersecurity Program Best Practices: This guidance provides a list of 12 best practices intended to help plan fiduciaries mitigate cybersecurity risks and make prudent decisions when selecting service providers.
• Online Security Tips: These tips provide basic rules to help plan participants and beneficiaries reduce the risk of fraud and loss when accessing their online retirement plan accounts.

The EBSA's guidance is a good reminder to plan sponsors to evaluate both their internal and external cybersecurity practices on at least an annual basis to ensure that plan data is protected. Any evaluation of plan cybersecurity should include training of employees who handle plan matters and a review of third party administrator contracts to ensure the contracts conform with current cybersecurity best practices. These annual reviews will not only help plan sponsors better protect plan data but will also help plan sponsors ensure that procedures are in place to mitigate any potential harm that could be caused by a data breach. In addition, when engaging a new service provider, following the DOL's tips will help the responsible fiduciary demonstrate it followed a prudent process. The EBSA news release is available here. The Tips for Hiring a Service Provider with Strong Cybersecurity Practices guidance is available here. The Cybersecurity Program Best Practices guidance is available here. The Online Security Tips guidance is available here.