What are the DOL cybersecurity guidelines, and why were they released?
Allison (0:53):
Okay, so let me just give some big picture to help the audience really understand the context here. Regulators have really been focusing on security in retirement plans for quite a while now. The Securities and Exchange Commission issued some guidelines last year, and the Department of Labor is now following suit. They issued guidelines in April 2021, about the kind of things that plan sponsors should be looking for, with regard to their own security over their retirement plan and also the security controls of their various service providers. Retirement plans, I don't think it's any secret or surprise that retirement plans have been really the victim of lots of different cyber attacks over the last few years. And this is really the regulator's way of trying to get some mitigation over those kind of risks. So the kind of things that they're looking for in the guidelines. It's a 12 point process. And they're really looking for things like encryption over data. The fact that the service provider has security policies, a security audit, has done risk assessments, making sure that the plan sponsor asks questions about prior data breaches, and really understands what those incidents were about, and really doing a holistic risk assessment on the service provider, not so much for their services, because we hope that plan sponsors are doing that anyway, but now adding another layer to that review, and making sure that plan sponsors are also focusing on security controls.
Is there any other legislation or other things in the works regarding this topic that we should be aware of?
Allison (2:51):
Definitely. So I mentioned before that the Department of Labor issued these guidelines in April. And what we're now hearing is that the department is starting audits of plans, specifically for security. And so I think that's a really important thing to understand. Because as a practical matter, this opens up the door to other items that the department might want to audit a plan about. And so it's a way for the department to, you know, examine a particular plan around security, but it's just going to open up the door to other things. And I think plan sponsors should really be aware of that. What we're hearing is that these audits are starting, now that they've started about, you know, roughly within the last few weeks, and they're sending letters to plan sponsors, asking for the production of documents to show that the plan sponsor has thoroughly vetted themselves and their service providers for all the different kinds of things that I just mentioned, like encryption, security policies, prior data breaches, you know, things like that.
If there was one or two key takeaways that we could share with plan sponsors, to help them protect themselves and their plans, what would those key tips be?
Allison (4:19):
It's really hard to think of just one, so I'll kind of frame it. I'll give you a shortlist. How about that? I'd say number one, security controls over distributions. There's lots of ways that monies leave a plan. You know, there's hardship distributions, loans, in service withdrawals, rollovers, you know, all of those things and plan sponsors really should make sure that their service providers have in place security measures that seem reasonable and seem to take, you know, to achieve the goal of making sure that when money is requested out of the plan, that it's actually going to the authentic, real participant and not a third party imposter. So that's really sort of tip number one.
I think tip number two. And this is in no particular order, by the way. And I would say this is just as important. If your service provider offers some form of multi factor authentication, you should really be encouraging your employees to take advantage of those protections. Just like at a bank, you know, where you get a text message saying that there's been a charge on your credit card or something of that nature, lots of service providers are now offering similar kinds of protections. And this is, you know, something that employees and individuals should take advantage of for all of their financial accounts, not just retirement plans. But since this is a focus of the Department of Labor's exercise, there is something that the plan sponsor can be doing here to make sure and raise awareness among its employees, that, you know, this kind of protection is just as important in their retirement plan, as it is in all of their other financial accounts as well.
And I'd say third, just to give a top three, would really be making sure that the plan sponsor's own house is in order. Like I mentioned, the Department of Labor is starting to conduct these audits. And they're asking for the production of these policies and other documents to show that the plan sponsor has been thinking about these areas. So better to do that. Now, before an audit letter comes your way than to scramble, you know, in the aftermath of receiving one of these letters. You know, like I mentioned before, a lot of times these letters, even though they may focus on security, can open up the door to other things. And so you definitely want to be prepared before you're in crisis mode, to have all of this documentation in place. And oftentimes, you know, you may have an attorney or in house counsel or someone that you can trust to help you with these kinds of procedures, you know, and documenting these kind of policies. But that's really what the department is looking for really just evidence that the plan sponsor has thought about security, and has taken reasonable steps to make sure that their plan and the participants are protected.