- The U.S. Labor Department's Employee Benefits Security Administration has issued cybersecurity guidance for the first time. The information is directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act, and provides best practices for maintaining cybersecurity, including tips on how to protect the retirement benefits of America's workers.
- The guidance includes tips for hiring a service provider, cybersecurity best practices and online security tips.
- "This much-needed guidance emphasizes the importance that plan sponsors and fiduciaries must place on combating cybercrime and gives important tips to participants and beneficiaries on remaining vigilant against emerging cyber threats," Acting Assistant Secretary for Employee Benefits Security Ali Khawar said.
EBSA said there are an estimated 34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion as of 2018. "Without sufficient protections, these participants and assets may be at risk from both internal and external cybersecurity threats. ERISA requires plan fiduciaries to take appropriate precautions to mitigate these risks," the Labor Department said in a statement.
The guidance from DOL might be the result of prodding from the General Accounting Office. HR Dive sister publication, Cybersecurity Dive, has reported that, earlier this year, GAO said in a report that retirement plans face a higher risk of cyberattack because the Labor Department had not provided guidance for protecting employees' savings and personal data nor had it made clear the cybersecurity responsibilities of employees and other fiduciaries.
"Until DOL formally clarifies plan fiduciaries' responsibilities and provides minimum expectations related to cybersecurity, fiduciaries may not realize that they could be liable for losses they were obligated to prevent and plans and their participants will continue to be vulnerable to financial losses and PII breaches," the GAO said.
Without such guidance, GAO said, companies and other retirement plan administrators might not understand their duties in cybersecurity and plan participants cannot be assured their assets and personal information are safe.
GAO said the Labor Department has acknowledged that cybersecurity is a serious problem for retirement plans. There is a risk that some fiduciaries may not be able to cover losses because of the large amount of money potentially at risk in retirement accounts.
A "potential lack of adequate and consistent protection could result in substantial harm to participants and beneficiaries including loss or theft of money, identity theft or litigation of plan fiduciaries and their administrators," the GAO said.