Department of Labor Issues First-Ever Cyberthreat Guidance for Retirement Plan Fiduciaries By Sean Deviney, CFP®

The Department of Labor’s Employee Benefits Security Administration (EBSA) recently released cybersecurity guidance to help retirement plan sponsors (employers and business owners), record keepers and other plan fiduciaries mitigate the growing risks of cyber threats, including fraud and identity theft.

According to the EBSA, employer-sponsored retirement plans regulated by the Employee Retirement Income Security Act (ERISA) hold more than $9 trillion in assets and maintain personal identifying information about millions of plan participants. Sufficient protections are therefore required to safeguard retirement assets and participants’ identities from a long list of cybercrimes. Included in the EBSA’s first round of guidance are best practices for fiduciaries of 401(k) plans, pensions and profit-sharing plans to adopt for managing cybersecurity risks and selecting service providers with equally strong cybersecurity practices.

Cybersecurity Program Best Practices 

The EBSA recommends retirement plan fiduciaries, including third-party service providers responsible for managing and maintaining IT systems and data, take the following broad steps to mitigate cyber risks.

• Develop and maintain a formal, well-documented cybersecurity program.
• Conduct prudent annual risk assessments.
• Use reliable, independent third parties to conduct annual audits of security controls.
• Define and assign information security roles and responsibilities.
• Institute strong access-control procedures for user authentication and authorization.
• Conduct periodic cybersecurity awareness training.
• Ensure that assets and data stored in a cloud or managed by third-party service providers are subject to regular security reviews and independent security assessments.
• Implement and manage a secure system development life cycle (SDLC) program that includes penetration testing, code review, and architecture analysis.
• Develop an effective business-resiliency program that addresses business continuity, disaster recovery and incident response.
• Encrypt sensitive data stored and in transit.
• Implement strong technical controls in accordance with best security practices.
• Be prepared to respond appropriately to any cybersecurity incidents.

Additional details for adopting these best practices are available from the EBSA and your plan provider.

Selecting Service Providers 

It is common for corporate 401(k) retirement plan sponsors and record keepers to rely on third parties to maintain plan records, safeguard participants’ data, and manage online security. The EBSA offers the following tips to help fiduciaries select and monitor these outside service providers.

• Ask about the service provider’s information security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other financial institutions.
• Ask the service provider how it validates its practices and what levels of security standards it has met and implemented. Look for contract provisions giving fiduciaries the right to review audit results.
• Evaluate the service provider’s track record, including records of information security incidents, litigation or other legal proceedings related to the vendor’s services.
• Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
• Ask if the service provider has insurance policies to cover losses caused by internal and external cybersecurity and identity theft breaches.
• Ensure the contract with a chosen service provider details its ongoing, mandatory compliance with cybersecurity, confidentiality and information-security standards. This can include written policies for using and sharing plan participants’ personal information and retaining and destructing records, proof of insurance coverage for privacy breaches, errors and omissions, and professional and cyber liabilities.

Retirement plan fiduciaries should become familiar with the EBSA’s new guidance and begin the process of ensuring their policies, plans and processes adhere to these minimum standards of best practices. The Corporate Retirement Plan group with Provenance Wealth Advisors (PWA) works with company fiduciaries to help them understand their cybersecurity responsibilities and evaluate service providers.

About the Author: Sean Deviney is a CFP®* professional, a retirement plan advisor and a director with Provenance Wealth Advisors (PWA), an Independent Registered Investment Advisor affiliated with Berkowitz Pollack Brant Advisors + CPAs and a registered representative with PWA Securities, LLC. He can be reached at the firm’s Fort Lauderdale, Fla., office at (954) 712-8888 or info@provwealth.com.

Provenance Wealth Advisors (PWA), 200 E. Las Olas Blvd., 19th Floor, Ft. Lauderdale, FL 33301 (954) 712-8888.

Sean Deviney, CFP®*, is a registered representative of and offers securities through PWA Securities, LLC, Member FINRA/SIPC.

This material is being provided for information purposes only and is not a complete description, nor is it a recommendation. The information has been obtained from sources considered to be reliable, but we do not guarantee that the foregoing material is accurate or complete. There is no guarantee that these statements, opinions or forecasts provided herein will prove to be correct.

Any opinions are those of the advisors of PWA and not necessarily those of PWA Securities, LLC. While we are familiar with the tax provisions of the issues presented herein, as Financial Advisors of PWAS, we are not qualified to render advice on tax or legal matters. You should discuss any tax or legal matters with the appropriate professional. Prior to making any investment decision, please consult with your financial advisor about your individual situation.

401(k) plans are long-term retirement savings vehicles. Withdrawal of pre-tax contributions and/or earnings will be subject to ordinary income tax and, if taken prior to age 59 1/2, may be subject to a 10% federal tax penalty. Investments mentioned may not be suitable for all investors. There is no guarantee that these statements, opinions or forecasts provided herein will prove to be correct.

* Certified Financial Planner Board of Standards Inc. owns the certification marks CFP®, CERTIFIED FINANCIAL PLANNER™ and federally registered CFP (with flame design) in the U.S., which it awards to individuals who successfully complete CFP Board’s initial and ongoing certification requirements.

To learn more about Provenance Wealth Advisors estate planning services click here or contact us at info@provwealth.com

Updated on February 2, 2024