Assessing Cybersecurity Risk Is Essential
Offering benefits like 401(k) plans involves working with many different service providers. The Department of Labor’s guidance essentially mandates that plan sponsors assess the Cybersecurity risks of service providers.
Services providers hold significant amounts of Personally Identifiable Information (PII). In addition to handling this information for their uses, service providers also transmit sensitive PII to other entities. The DOL and the GAO have determined that serious risks exist if adequate Cybersecurity mechanisms are not in place across the portfolio of service providers.
The scale of financial assets is massive. Americans held $9.3 trillion in all employer-based DC retirement plans on June 30, 2022, of which $6.5 trillion was held in 401(k) plans according to DOL.
DOL Best Practices
At a minimum, plan sponsors are required to adhere to the best practices issued by the DOL’s EBSA.
- Have a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.