On April 14, 2021, the Department of Labor’s Employee Benefits Security Administration issued three-part guidance on cybersecurity for plan sponsors and fiduciaries. The three topics addressed are “Tips for Hiring a Service Provider,” “Cybersecurity Program Best Practices,” and “Online Security Tips.”

Because governmental defined contribution plans are not subject to ERISA, they are not bound by this guidance.  However, it provides potentially useful insights for governmental defined contribution plans to look to when managing the cybersecurity aspects of their plans.  Further, given that many governmental defined contribution plan service providers look to their ERISA processes when working with their governmental plan clients, it is very possible that, very much like the DOL’s 2013 target date “tips”, this guidance will play a role in governmental plan contracting and service relationships.  Key takeaways from this guidance include:

Tips for Hiring a Service Provider

  1. Compare the service provider’s information security standards, practices and policies, and audit results to industry standards.
  2. Evaluate the service provider’s track record in the industry, including past security incidents and legal proceedings.
  3. Find out if the service provider has insurance policies that would cover losses caused by breaches both internal (misconduct by an employee) and external (third party hacking).

Cybersecurity Program Best Practices

  1. Have a formal, well documented cybersecurity program with annual risk assessments and third-party audits.
  2. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
  3. Conduct periodic cybersecurity awareness training.
  4. Encrypt sensitive data, stored and in transit.

Online Security Tips

EBSA’s recommended online tips are fairly standard, including setting strong passwords, using multi-factor authentication, and similar routine guidance for internet usage.

NAGDCA’s government affairs team will continue to monitor this rapidly evolving area for further updates.