Department of Labor Issues First-Ever Cyberthreat Guidance for Retirement Plan Fiduciaries By Sean Deviney, CFP®

The Department of Labor’s Employee Benefits Security Administration (EBSA) recently released cybersecurity guidance to help retirement plan sponsors (employers and business owners), record keepers and other plan fiduciaries mitigate the growing risks of cyber threats, including fraud and identity theft.

According to the EBSA, employer-sponsored retirement plans regulated by the Employee Retirement Income Security Act (ERISA) hold more than $9 trillion in assets and maintain personal identifying information about millions of plan participants. Sufficient protections are therefore required to safeguard retirement assets and participants identities from a long list of cybercrimes. Included in the EBSA’s first round of guidance are best practices for fiduciaries of 401(k) plans, pensions and profit-sharing plans to adopt for managing cybersecurity risks and selecting service providers with equally strong cybersecurity practices.

Cybersecurity Program Best Practices 

The EBSA recommends retirement plan fiduciaries, including third-party service providers responsible for managing and maintaining IT systems and data, take the following broad steps to mitigate cyber risks.

• Develop and maintain a formal, well-documented cybersecurity program.
• Conduct prudent annual risk assessments.
• Use reliable, independent third parties to conduct annual audits of security controls.
• Define and assign information security roles and responsibilities.
• Institute strong access-control procedures for user authentication and authorization.
• Conduct periodic cybersecurity awareness training.
• Ensure that assets and data stored in a cloud or managed by third-party service providers are subject to regular security reviews and independent security assessments.
• Implement and manage a secure system development life cycle (SDLC) program that includes penetration testing, code review, and architecture analysis.
• Develop an effective business-resiliency program that addresses business continuity,
  disaster recovery and incident response.
• Encrypt sensitive data stored and in transit.
• Implement strong technical controls in accordance with best security practices.
• Be prepared to respond appropriately to any cybersecurity incidents.

Additional detail for adopting these best practices is available from the EBSA and your plan provider.

Selecting Service Providers 

It is not uncommon for corporate 401(k) retirement plan sponsors and record keepers to rely on third parties for maintaining plan records, safeguarding participants’ data, and managing online security. To help fiduciaries select and monitor these outside service providers, the EBSA offers the following tips.

• Ask about the service provider’s information security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other financial institutions.
• Ask the service provider how it validates its practices and what levels of security standards it has met and implemented. Look for contract provisions giving fiduciaries the right to review audit results.
• Evaluate the service provider’s track record, including records of information security incidents, litigation or other legal proceedings related to the vendor’s services.
• Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
• Ask if the service provider has any insurance policies intended to cover losses caused by both internal and external cybersecurity and identity theft breaches.
• Ensure the contract with a chosen service provider details its ongoing, mandatory compliance with cybersecurity, confidentiality and information-security standards. This can include written policies for using and sharing plan participants’ personal information and retaining and destructing records as well as proof of insurance coverage for privacy breaches, errors and omissions, and professional and cyber liabilities.

Retirement plan fiduciaries should become familiar with the EBSA’s new guidance and begin the process of ensuring their policies, plans and processes adhere to these minimum standards of best practices. The Corporate Retirement Plan group with Provenance Wealth Advisors (PWA) works with company fiduciaries to help them understand their cybersecurity responsibilities and evaluate service providers.

About the Author: Sean Deviney is a CFP® professional, a retirement plan advisor and a director with Provenance Wealth Advisors (PWA), an independent financial services firm affiliated with Berkowitz Pollack Brant Advisors + CPAs. For more information, call (954) 712-8888 or email info@provwealth.com.

Provenance Wealth Advisors, 515 E. Las Olas Blvd., Ft. Lauderdale, FL 33301 (954) 712-8888.

Sean Deviney is a registered representative of and offers securities through Raymond James Financial Services, Inc., Member FINRA/SIPC.  Raymond James is not affiliated with and does not endorse the opinions or services of Berkowitz Pollack Brant Advisors and Accountants.  PWA is not a registered broker/dealer and is independent of Raymond James Financial Services. Investment Advisory Services offered through Raymond James Financial Services Advisors, Inc., and Provenance Wealth Advisors.

This material is being provided for information purposes only and is not a complete description, nor is it a recommendation. Any opinions are those of PWA and not necessarily those of Raymond James. You should discuss any tax or legal matters with the appropriate professional. The information contained in this report has been obtained from sources considered to be reliable, but Raymond James does not guarantee that the foregoing material is accurate or complete.

401(k) plans are long-term retirement savings vehicles. Withdrawal of pre-tax contributions and/or earnings will be subject to ordinary income tax and, if taken prior to age 59 1/2, may be subject to a 10% federal tax penalty. Investments mentioned may not be suitable for all investors. There is no guarantee that these statements, opinions or forecasts provided herein will prove to be correct.

* Certified Financial Planner Board of Standards Inc. owns the certification marks CFP®, CERTIFIED FINANCIAL PLANNER™ and federally registered CFP (with flame design) in the U.S., which it awards to individuals who successfully complete CFP Board’s initial and ongoing certification requirements.

To learn more about Provenance Wealth Advisors estate planning services click here or contact us at info@provwealth.com

Posted on 7/6/2021