DOL Issues Cybersecurity Guidance for Retirement Plans

As of April 14, 2021, the Department of Labor (DOL) has finally issued guidance related to the cybersecurity measures needed to protect employee data that plan sponsors and their service providers share and store online.
Participants’ Personal Data at Risk
Private sector employer-sponsored retirement plans hold trillions in assets for the benefit of millions of participants. That puts a lot of personally identifying information (PII) at risk. PII is information used to distinguish or trace an individual’s identity, such as name, birthdate or Social Security number, along with personal information that can be linked to an individual, such as medical, educational, financial and employment information.
Multiple Sources Sharing Data
To administer employer-sponsored defined contribution plans, such as 401(k) plans, plan sponsors, recordkeepers, third party administrators, custodians and payroll providers all share a variety of PII, as well as plan asset data to carry out their respective functions. With data sharing comes cybersecurity risks.
Who Should Protect Data?
Federal law does require plan fiduciaries to act prudently when administering plans. And after urging by the Government Accounting Office (GAO) and others, the DOL has finally issued guidance on cybersecurity for retirement plans.
DOL’s Guidance: Three Parts
- Tips for Hiring a Service Provider with Strong Cybersecurity Practices Click here for the DOL’s tips. These tips are meant to help plan sponsors and fiduciaries prudently select service providers with strong cybersecurity practices and monitor their activities, as ERISA requires.
- Cybersecurity Program Best Practices Click here for DOL cybersecurity best practices. These guidelines are designed to assist plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks.
- Online Security Tips Click here for DOL online security tips. These tips offer guidance to plan participants and beneficiaries who check their retirement accounts online to reduce the risk of fraud and loss.
Next Steps
Only time will tell whether following the DOL’s guidance will provide an effective defense for plan sponsors, plan fiduciaries and plan service providers that may be sued by plan participants who have lost their retirement plan nest eggs to cyber thieves or other bad actors. Going beyond tips and best practices, industry professionals believe it would be helpful for the DOL to establish clear standards and requirements that plan sponsors, plan fiduciaries and third-party service providers must meet to fulfill their respective ERISA duties owed to plan participants and beneficiaries.
Consult With Your Retirement Team
With the shift to remote work in the past year there is a heightened concern around cyberattacks for plan sponsors and plan advisors. The Retirement Plan Solutions team, along with Stinson Law Firm, developed a questionnaire for vendors to complete to help identify cybersecurity measures and who is responsible to protect participant and plan data. Reach out to us for more information.
Given the vulnerability of employee data to cyber fraud, we recommend that you consult with all entities that assist in the administration of your retirement plan to ensure you have protective measures in place to safeguard your retirement benefits and plan participants’ personal identifying information.
Sources:
1 “DOL Finally Issues Cybersecurity Guidance for Retirement Plans,” jdsupra.com
The views expressed are for commentary purposes only and do not take into account any individual personal, financial, legal or tax considerations. As such, the information contained herein is not intended to be personal legal, investment or tax advice. Nothing herein should be relied upon as such, and there is no guarantee that any claims made will come to pass. The opinions are based on information and sources of information deemed to be reliable, but Mariner Wealth Advisors does not warrant the accuracy of the information .
Mariner Wealth Advisors (“MWA”), is an SEC registered investment adviser with its principal place of business in the State of Kansas. Registration of an investment adviser does not imply a certain level of skill or training. MWA is in compliance with the current notice filing requirements imposed upon registered investment advisers by those states in which MWA maintains clients. MWA may only transact business in those states in which it is notice filed or qualifies for an exemption or exclusion from notice filing requirements. Any subsequent, direct communication by MWA with a prospective client shall be conducted by a representative that is either registered or qualifies for an exemption or exclusion from registration in the state where the prospective client resides. For additional information about MWA, including fees and services, please contact MWA or refer to the Investment Adviser Public Disclosure website. Please read the disclosure statement carefully before you invest or send money.